[Nextgrid]

Was ammo in Crysis controlled client-side? I've always assumed such counters were stored server-side and thus a server won't apply a "fire" event if the player's ammo counter is at zero until it receives a "reload" event to reset the counter.

[user5994461]

Almost everything was controlled client side, including collisions and kills. There was one cheat for sale for example that ruined the game, you'd join a server and all players would be automatically killed every 10 seconds.

[Nextgrid]

I remember experiencing that actually. Just random damage every few seconds. Is there any reason why the "don't trust the client" mindset is not used in games despite it being accepted in web development?

[user5994461]

The game was released in 2007, Windows XP era. The very idea of security was being discovered.

[amyjess]

I mean, "don't trust the client" was a thing in the late '90s when people were exploiting client-controlled things in Ultima Online so much Origin had to change the way some communication worked to stop it.

The most famous example I can think of was UOExtreme revealing hidden players, because if a player was hiding their presence was still sent to the clients of every other player in the area just with a "hidden" flag set. There were a bunch of other similar exploits associated with that particular third-party tool, but that's the only one I remember.

(so while writing this I did some googling and found the patch notes where they fixed it: https://uo.com/wiki/ultima-online-wiki/technical/previous-pu...)

[numpad0]

One explanation I’ve seen about weak server-side verification is online multiplayer is a cost center so developers wants to offload much as they could. At least before microtransactions I guess.