Matchmaking Security

Considerations for matchmaking security vulnerabilities.


Matchmaking functionality requires that you take a set of information such as player identifiers or server IP address and broadcast that data to other potential players. Typically session data consists of:

  1. A Host IP Address, set either using EOS_SessionModification_SetHostAddress or automatically detected by EOS services. This address is mandatory when attempting to join the game.

  2. The EOS Product User ID of all players registered to the session.

  3. Any custom attributes that have been added to the session using EOS_SessionModification_AddAttribute. These could be anything set by the developer.

Matchmaking takes game data and creates a searchable index, so you should always be conscious of what data is being exposed when creating your sessions. For games with dedicated servers you are exposing the IP address of the server, and for Peer to Peer sessions you could be exposing the IP address of end users.

When you create a session you can specify a permission level for the session using EOS_SessionModification_SetPermissionLevel. Sessions have 3 levels of security:

Security Level



Any client can get the session in search results without needing to know the session id and can read session information as long as the session is not started or session allows join in progress. Any client/player that has access to the unique session identifier can view session information even if the session is not joinable.


Any client/player that has access to the unique session identifier can view session information (typically this information is shared via presence data but can be shared in other ways as well).


Only players which have been explicitly invited to the session by an existing member of the session can view session information.

Best Practices

  • Make sure your sessions are scoped to the lowest amount of exposure necessary.

  • Don't add information to session attributes that should not be exposed to everyone that is looking for the session.

  • If you are using JoinViaPresence then make sure to keep the session id hidden from players/UI. If it is exposed then it will allow access to the session data.

  • If your game doesn't support JoinInProgress, make sure your server starts the session with EOS_Sessions_StartSession to remove the session from future searches while the game is in progress.