Authentication
Login & Register
Players must authenticate before they can interact with the server. The flow depends on whether they have an account:
New players
New players see a title, action bar, and boss bar countdown prompting them to register:
/register <password> <confirm>The password is validated against configurable rules:
- Length — Between
min-password-lengthandmax-password-length - Strength — If
require-strong-password: true, must contain uppercase + lowercase + number - Match — Both fields must be identical
Passwords are hashed with SHA-256 + per-account random salt (16 bytes). Verification uses constant-time comparison to prevent timing attacks.
Returning players
/login <password>After successful login, the player is shown their last login date and IP (if show-last-login: true).
Failed attempts
After max-login-attempts failed attempts, the player is kicked. If IP rate limiting is enabled, the IP may be temporarily banned after too many failures across all accounts.
Sessions
Sessions allow players to reconnect without re-entering their password within a configurable timeout.
- A session is created after each successful authentication (login, register, premium, bedrock)
- Sessions are stored in the
xlogin_sessionsdatabase table (UUID + IP + timestamp) - On join, XLogin checks for a valid session matching the player's UUID and IP
- Expired sessions are purged automatically every 10 minutes
# Session timeout in minutes (0 = disabled)
session-timeout: 30Sessions are cross-server. When a session is created, a LOGIN sync message is broadcast so all servers in the network recognize it instantly.
Player Restrictions
While unauthenticated, players are completely locked down:
| Action | Behavior |
|---|---|
| Movement | Position locked (head rotation allowed) |
| Chat | Blocked |
| Commands | Only /login, /register, /2fa, /recover, /email + configured allowed commands |
| Blocks | Break/place blocked |
| Inventory | Open, click, drop, pickup, swap — all blocked |
| Combat | Damage given/received blocked |
| Vehicles/Portals | Blocked |
| Teleportation | Non-plugin teleports blocked |
| Visibility | Hidden from other players + blindness effect |
Join messages are withheld until authentication. Quit messages are hidden if the player never logged in.