-
-
Notifications
You must be signed in to change notification settings - Fork 121
- How does Minecraft logins work?
- How does this plugin work?
- Why does the plugin require offline mode?
- Can cracked player join with premium usernames?
- Why do players have to invoke a command?
- What happens if a paid account joins with a used username?
- Does the plugin have BungeeCord support?
- Could premium players have a premium UUID and Skin?
- Is this plugin compatible with Microsoft accounts?
- Client -> Server: I want to login, here is my username
- Server -> Client: Okay. I'm in online mode so here is my public key for encryption and my server id
- Client -> Mojang: I'm player "xyz". I want to join a server with that server id
- Mojang -> Client: Session data checked. You can continue
- Client -> Server: I received a successful response from Mojang. Here our shared secret key
- Server -> Mojang: Does the player "xyz" with this shared secret key has a valid account to join me?
- Mojang -> Server: Yes, the player has the following additionally properties (UUID, Skin)
- Client and Server: encrypt all following communication packet
- Server -> Client: Everything checked you can play now
In offline mode step 2-7 is skipped. So 9) directly followed after 1).
https://wiki.vg/Protocol#Login
By using ProtocolLib, this plugin works as a proxy between the client and server. This plugin will fake that the server runs in online mode. It does everything an online mode server would do. This will be for example, generating keys or checking for valid sessions. Because everything is the same compared to an offline mode login after an encrypted connection, we will intercept only login packets of premium players.
- Player is connecting to the server.
- Plugin checks if the username we received activated the fast login method (i.e. using command)
- Run a check if the username is currently used by a paid account. (We don't know yet if the client connecting is premium)
- Request an Mojang Session Server authentication
- On response check if all data is correct
- Encrypt the connection
- On success intercept all related login packets and fake a new login packet as a normal offline login
- As you can see in the question "how does minecraft login works", offline mode is equivalent to online mode except of the encryption and session checks on login. So we can intercept and cancel the first packets for premium players and enable an encrypted connection. Then we send a new fake packet in order to pretend that this a new login request from a offline mode player. The server will handle the rest.
- Some plugins check if the server is in online mode. If so, they could process the real offline (cracked) accounts incorrectly. For example, a plugin tries to fetch the UUID from Mojang, but the name of the player is not associated to a paid account.
- Servers, who allow cracked players and just speed up logins for premium players, are already in offline mode.
Yes, indeed. Therefore the command for toggling the fast login method exists.
- It's a secure way to make sure a person with a paid account cannot steal the account of a cracked player that has the same username. The player have to proof first that it's his own account.
- We only receive the username from the player on login. We could check if that username is associated to a paid account but if we request a online mode login from a cracked player (who uses a username from a paid account), the player will disconnect with the reason "bad login" or "Invalid session". There is no way to change that message on the server side (without client modifications), because it's a connection between the Client and the session-server.
- If a premium player would skip registration too, a player of a cracked account could later still register the account and would claim and steal the account from the premium player. Because commands cannot be invoked unless the player has a account or is logged in, protects this method also premium players
The player on the server have to activate the feature of this plugin by command. If a person buys the username of his own account, it's still secured. A normal offline mode login makes sure he's the owner of the server account and Mojang account. Then the command can be executed. So someone different cannot steal the account of cracked player by buying the username.
Yes it has. See the how to install above.
Since 0.7 both features are implemented. You can check the config.yml in order to activate it.
Yes, Microsoft account system only change how you login into your account. The authentication protocol when you join a server in order to verify that you are the owner of a Minecraft account stays the same.