[HR][/HR]

✨ Features

Core Security

• Password Authentication - Secure SHA-256 hashed passwords
• PIN Code System - Additional 4-digit PIN for extra security
• GUI PIN Vault - Beautiful graphical PIN entry with custom balloon number heads
• Session Management - Remember authenticated players (configurable duration)
• Login Timeout - Auto-kick players who don't login in time
• Failed Attempt Protection - Kick after too many wrong password/PIN attempts
• Session Hijacking Protection - NEW! Prevents username takeover attacks

Player Management

• Premium Player Detection - Auto-authenticate paid Minecraft accounts
• Login Method Choice - Players can choose between PIN or password login
• Alt Account Detection - Automatic IP-based alt account tracking
• Account Freezing - Temporarily lock suspicious accounts
• Force Logout - Admin can force players to re-authenticate

Customization

• Custom Branding - Personalize server name, titles, and messages
• Color Coded Messages - Professional UI with Minecraft color codes
• Configurable Settings - Every feature can be enabled/disabled
• Discord Webhooks - Rich embed notifications with colors and emojis

️ Admin Tools

• Password Reset - Reset player passwords as admin
• PIN Reset - Remove player PINs
• Account Unregister - Completely delete player accounts
• Freeze/Unfreeze - Lock and unlock accounts
• Alt Checker - View all accounts from same IP
• Config Reload - Hot-reload configuration without restart

[HR][/HR]

Installation

1. Download the latest MBTHLoginSecurity-1.0.1.jar
2. Place the JAR file in your server's plugins/ folder
3. Restart your server
4. Configure the plugin in plugins/MBTHLoginSecurity/config.yml
5. Reload with /mbthlsreload

Requirements

• Minecraft Server (Paper/Spigot) 1.20.1+
• Java 17+
• No dependencies required!

[HR][/HR]

Quick Start

For Players

First Time Join
Login
or use the GUI PIN Vault for quick login!

For Admins

Reset Player Password
Check Alt Accounts
Freeze Suspicious Account
[HR][/HR]

Commands

Player Commands

Command	Description	Usage
/register	Create new account	/register <pass> <confirm>
/login	Login to account	/login <password>
/changepassword	Change password	/changepassword <old> <new> <confirm>
/setuppin	Create PIN code	/setuppin <pin> <confirm>
/verifypin	Verify PIN	/verifypin <pin>
/changepin	Change PIN	/changepin <old> <new> <confirm>

Admin Commands

Command	Description	Permission
/resetpassword	Reset player password	mbth.admin
/resetpin	Remove player PIN	mbth.admin
/unregister	Delete player account	mbth.admin
/freezeaccount	Lock player account	mbth.admin
/unfreezeaccount	Unlock player account	mbth.admin
/forcelogout	Force player logout	mbth.admin
/checkalt	Check alt accounts	mbth.admin
/mbthlsreload	Reload config	mbth.admin

[HR][/HR]

⚙️ Configuration

Basic Setup

Discord Webhooks

See DISCORD_WEBHOOK_GUIDE.md for setup instructions.

[HR][/HR]

Customization

Custom Messages

All messages support Minecraft color codes ( &a, &c, etc.):

Custom Titles

[HR][/HR]

Discord Integration

The plugin sends beautiful rich embeds to Discord:

Login Events (Green)

• Player logged in with password
• Player logged in with PIN
• PIN verified successfully
• Premium player auto-login

Registration Events (Blue)

• New player registered
• PIN setup completed

Security Alerts (Red)

• Failed login attempts
• Player kicked for too many attempts
• Account unregistered by admin
• Session hijacking attempts blocked

No external plugins required! Uses native HTTP webhooks.

[HR][/HR]

️ Security Features

Password Protection

• SHA-256 Hashing - Passwords are never stored in plain text
• Salted Hashing - Each password has unique hash
• Attempt Limiting - Configurable max attempts before kick
• Session Validation - Prevents unauthorized access

PIN Code Security

• GUI-Based Entry - Secure graphical PIN pad
• Number Balloons - Beautiful custom head textures
• Attempt Tracking - Separate attempt counter for PIN
• Optional/Mandatory - Can be required or optional
• Easy Reset - Admins can reset forgotten PINs

Alt Account Detection

• IP Tracking - Monitors accounts from same IP
• Main/Alt Labels - Identifies primary account
• Admin Notifications - Alerts when alts join
• Detailed Reports - View all accounts per IP

Session Hijacking Protection NEW!

• Pre-Login Username Check - Blocks duplicate usernames before connection
• Real-Time Detection - Instant attack detection and blocking
• Multi-Layer Alerts - Console, in-game, admin, and Discord notifications
• Zero Impact - Original player stays connected
• Full Audit Trail - Complete logging with IP tracking

[HR][/HR]

Premium Player Detection

The plugin automatically detects premium players (those who purchased Minecraft):

• ✅ Auto-Login - Premium players skip authentication
• ✅ No Registration - No password/PIN needed
• ✅ Instant Access - Immediate gameplay
• ✅ Secure - Uses Minecraft's built-in authentication

Note: Only works on servers in online mode.

[HR][/HR]

Login Method Choice

Players with both password and PIN can choose their login method through a beautiful GUI:

[HR][/HR]

File Structure

Data Storage

Player data is stored in players.yml:

[HR][/HR]

Use Cases

Cracked Server

• Enable all security features
• Require PIN for extra protection
• Monitor alt accounts
• Use password + PIN authentication

Hybrid Server (Premium + Cracked)

• Enable premium bypass
• Auto-login for paid accounts
• Require auth for cracked players
• Give players login choice

Premium Only

• Disable most features
• Use only for session management
• Optional PIN for extra security

[HR][/HR]

Documentation

Detailed guides available on GitHub:

• CONFIG_GUIDE.md - Complete configuration reference
• DISCORD_WEBHOOK_GUIDE.md - Discord setup instructions
• PIN_SYSTEM_DOCUMENTATION.md - PIN system details
• SESSION_HIJACKING_FIX.md - Security fix documentation
• LOGIN_CHOICE_GUIDE.md - Login method choice

[HR][/HR]

Updates & Changelog

Version 1.0.1 (Critical Security Update)

• CRITICAL FIX: Session hijacking vulnerability patched
• ️ Added pre-login username blocking to prevent duplicate username exploits
• Real-time security alerts for hijacking attempts
• Enhanced logging for security events
• Discord webhook integration for security alerts
• ✅ Complete protection against username-based session takeover
• ⚠️ All users should update immediately

[HR][/HR]

⚡ Performance

• Lightweight: < 100KB JAR size
• Async Operations: Discord webhooks, data saving
• No TPS Impact: Optimized event handling
• Fast Authentication: < 10ms average
• Memory Efficient: Minimal RAM usage

[HR][/HR]

Statistics

• Commands: 15+
• Permissions: 1 (mbth.admin)
• Configuration Options: 30+
• Features: 20+
• Documentation Pages: 10+

[HR][/HR]

Support

Need Help?

• Discord: Join our server
• GitHub Issues: Report Problems
• Documentation: Full Guides

Report Bugs

Found a bug? Please report it on our GitHub Issues page with:

• Server version
• Plugin version
• Error logs (from console)
• Steps to reproduce

[HR][/HR]

Features Roadmap

Planned Features

• [ ] 2FA via email/Discord
• [ ] Captcha system
• [ ] Hardware ID binding
• [ ] Account recovery system
• [ ] Multi-language support
• [ ] MySQL/MongoDB support
• [ ] Login history viewer
• [ ] Security statistics dashboard

[HR][/HR]

Credits

Developed by: MBTH Studios
Lead Developer: Adhi1908
GitHub: @Adhi1908

Special Thanks

• Minecraft community for feedback
• Contributors and testers
• Discord for webhook API
• Paper/Spigot teams
• All supporters and users

[HR][/HR]