civil-and-structural-engineering
Building a Real-time Multiplayer Game with Javascript and Websockets
Table of Contents
Introduction: The Challenge of Real-Time Multiplayer
Building a real-time multiplayer game is one of the most demanding tasks in web development. Unlike turn-based or asynchronous experiences, real-time games require sub-100 millisecond response times, consistent state across all clients, and robust handling of network instability. JavaScript, combined with the WebSocket protocol, has become a foundational stack for achieving this—offering persistent, low-latency, full-duplex communication between browsers and servers. This article expands on the core concepts of WebSockets, server architecture, game loop design, state synchronization, latency mitigation, and security, providing a production-minded blueprint for your next multiplayer game.
Understanding WebSockets in Depth
WebSockets operate on top of TCP, providing a single long-lived connection that allows the server to push data to clients as soon as events occur. After the initial HTTP upgrade handshake (status 101), the connection switches from HTTP to the WebSocket protocol, eliminating HTTP request/response overhead. This makes WebSockets ideal for sending frequent, small updates—exactly what a multiplayer game needs.
Key advantages over traditional HTTP-based approaches (e.g., polling or Server-Sent Events):
- Lower latency – no repeated handshakes or headers for each message.
- Full-duplex – both client and server can send messages at any time.
- Efficient binary and text messaging – using raw byte arrays or JSON.
- Reduced bandwidth – minimal framing overhead after the initial handshake.
For an authoritative reference, see the WebSocket Protocol RFC 6455.
Setting Up a Production-Ready WebSocket Server
While the original article shows a minimal Node.js server using the ws library, a real game requires structured handling of multiple rooms, player authentication, and lifecycle management. Below is an expanded server skeleton that supports player rooms and validates actions.
const WebSocket = require('ws');
const crypto = require('crypto');
class GameRoom {
constructor(name) {
this.name = name;
this.clients = new Map(); // id -> WebSocket
this.state = { players: [] };
}
broadcast(message, excludeSocket) {
this.clients.forEach((ws, id) => {
if (ws !== excludeSocket && ws.readyState === WebSocket.OPEN) {
ws.send(JSON.stringify(message));
}
});
}
addPlayer(ws) {
const id = crypto.randomUUID();
this.clients.set(id, ws);
ws.playerId = id;
// Send current state to the new player
ws.send(JSON.stringify({ type: 'init', id, state: this.state }));
return id;
}
removePlayer(ws) {
this.clients.delete(ws.playerId);
}
}
const wss = new WebSocket.Server({ port: 8080 });
const rooms = {};
wss.on('connection', (ws) => {
ws.on('message', (raw) => {
let msg;
try {
msg = JSON.parse(raw);
} catch {
return;
}
switch (msg.type) {
case 'join':
let roomName = msg.room || 'default';
if (!rooms[roomName]) rooms[roomName] = new GameRoom(roomName);
const room = rooms[roomName];
const playerId = room.addPlayer(ws);
ws.currentRoom = room;
room.broadcast({ type: 'player_joined', id: playerId });
break;
case 'state_update':
if (ws.currentRoom) {
// Validate and update authoritative state
// ...
ws.currentRoom.state = updatedState;
ws.currentRoom.broadcast({ type: 'state_sync', state: updatedState }, ws);
}
break;
default:
// Unknown message type
break;
}
});
ws.on('close', () => {
if (ws.currentRoom) {
ws.currentRoom.removePlayer(ws);
ws.currentRoom.broadcast({ type: 'player_left', id: ws.playerId });
}
});
});This pattern separates concerns per room and prevents one bad player from corrupting global state. For scalability, consider using Redis as a pub/sub channel between multiple Node process instances. The ws library documentation provides additional details on handling backpressure and binary frames.
Client-Side Integration: Beyond a Simple Connection
A robust client must handle reconnection, message buffering during network drops, and graceful degradation. The WebSocket API close event does not trigger automatically when a connection drops without sending a close frame; developers must implement a heartbeat (ping/pong) mechanism to detect stale connections.
class GameClient {
constructor(url, room) {
this.url = url;
this.room = room;
this.socket = null;
this.reconnectInterval = 2000;
this.maxAttempts = 5;
this.attempts = 0;
this.buffer = [];
this.connect();
}
connect() {
this.socket = new WebSocket(this.url);
this.socket.addEventListener('open', () => {
this.attempts = 0;
this.socket.send(JSON.stringify({ type: 'join', room: this.room }));
// Flush buffer
this.buffer.forEach(msg => this.socket.send(JSON.stringify(msg)));
this.buffer = [];
// Start heartbeat
this.pingInterval = setInterval(() => {
if (this.socket.readyState === WebSocket.OPEN) {
this.socket.send(JSON.stringify({ type: 'ping' }));
}
}, 15000);
});
this.socket.addEventListener('close', () => {
clearInterval(this.pingInterval);
console.log('Connection closed, reconnecting...');
this.attempts++;
if (this.attempts < this.maxAttempts) {
setTimeout(() => this.connect(), this.reconnectInterval);
}
});
// ... message handler
}
send(action) {
if (this.socket.readyState === WebSocket.OPEN) {
this.socket.send(JSON.stringify(action));
} else {
this.buffer.push(action);
}
}
}Use JavaScript's WebSocket object for all modern browsers. For older browsers, a fallback can use long polling with libraries like SockJS, but that introduces additional latency.
Game Loop and State Management Architecture
A real-time multiplayer game typically runs two loops: the server's authoritative game loop (often fixed timestep, e.g., 20 ticks per second) and the client's render loop (60+ FPS). The server owns the definitive game state: player positions, velocities, health points, etc. Clients send inputs (e.g., "move left", "fire") to the server, which processes them in its update cycle and broadcasts the new state to all players.
Server-side pseudocode for a simple physics-based game:
const TICK_RATE = 20; // 50ms interval
const GAME_WIDTH = 800;
const GAME_HEIGHT = 600;
setInterval(() => {
for (const room of Object.values(rooms)) {
for (const player of room.state.players) {
// Apply pending inputs
for (const input of player.inputQueue) {
switch (input.direction) {
case 'up': player.y -= player.speed; break;
case 'down': player.y += player.speed; break;
case 'left': player.x -= player.speed; break;
case 'right': player.x += player.speed; break;
}
// Bound check
player.x = Math.max(0, Math.min(GAME_WIDTH, player.x));
player.y = Math.max(0, Math.min(GAME_HEIGHT, player.y));
}
player.inputQueue = [];
}
room.broadcast({ type: 'state', state: room.state });
}
}, 1000 / TICK_RATE);Clients should interpolate positions between server snapshots to produce smooth movement, and implement client-side prediction to avoid feeling sluggish. These techniques are covered next.
Synchronization Techniques: Making the Game Feel Responsive
Client-Side Prediction
When a player presses a key, instead of waiting for the server's response, the client immediately updates its own copy of the game state (e.g., move the local player one unit right). When the server later sends the authoritative state, the client reconciles by comparing the predicted state with the server's state and adjusting. This reduces perceived lag.
Server Reconciliation
After the server processes inputs, it returns the new authoritative state including a timestamp or sequence number. The client then checks if its predicted position differs significantly. If so, it either snaps to the server position (causing a jump) or smoothly corrects over a few frames. For movement-heavy games, use a technique called "state interpolation" where the client holds the two most recent server snapshots and interpolates between them based on time.
Interpolation and Extrapolation
For other players, you cannot use client-side prediction because you don't know their inputs. Instead, the client keeps a buffer of the last few server states (typically 100–200ms of data) and renders positions at the correct time point. This introduces a fixed delay but produces smooth visuals. When the buffer runs empty (e.g., due to packet loss), the client can extrapolate by continuing the last known velocity until a new snapshot arrives.
Lag Compensation for Shooting Games
For action games where hit detection matters, the server must rewound the game state to the moment of the shot (based on client timestamp) to determine if a bullet hit. This prevents players with high ping from being disadvantaged. The server stores a history of past positions (position buffers) for a short window (e.g., 500ms) and uses the client's input timestamp to choose the appropriate state.
A detailed explanation of these techniques is available in Glenn Fiedler's excellent article on client-server game architecture.
Latency Mitigation and Time Synchronization
To implement lag compensation or to measure round-trip time, you need synchronized clocks between client and server. A simple approach: the server records its current time when sending a ping frame. The client notes the time when it receives that ping and sends back that timestamp. The server subtracts half the round-trip time from its own clock to estimate the client's time. More complex schemes use NTP-like algorithms.
Additionally, use delta compression: instead of sending full state each tick, send only the changes (incremental updates). This reduces bandwidth and processing time.
Security: Preventing Cheating in WebSocket Games
Real-time multiplayer games are vulnerable to speed hacks, memory manipulation, and packet tampering. The first line of defense: the server must be authoritative. Never trust client-side logic for actions like movement speed, collision detection, or scoring. Validate every input on the server:
- Check that the player cannot move faster than the maximum speed.
- Ensure that actions are within the allowed game rules (e.g., a weapon can only fire every 500ms).
- Verify that the player is not inside a wall or out of bounds.
- Rate-limit the number of messages per second per connection to avoid denial-of-service.
For more advanced protection, use message authentication codes (HMAC) to verify that packets haven't been tampered with and come from a known client. However, given that the client's code runs in the browser, client-side obfuscation is limited; the focus should be on server-side validation.
Scaling: Handling Many Concurrent Players
As your game grows, a single Node process will become a bottleneck. Scale horizontally by running multiple server instances behind a load balancer. However, WebSocket connections are sticky by nature: once a handshake is made, subsequent traffic from that client must reach the same process. Use socket.io's sticky sessions or configure your load balancer (e.g., Nginx, HAProxy) to route by source IP or a cookie.
For inter-process communication between game servers (e.g., when players in different rooms need to interact), use a publish-subscribe system like Redis or a message queue (e.g., RabbitMQ). When one server updates global data, it publishes the change, and all interested servers receive the update. This is how large-scale WebSocket backends like those used by Discord or Slack manage state.
If you want to avoid managing infrastructure, consider using cloud services like AWS API Gateway WebSocket API, but be aware of latency introduced by routing through a managed proxy.
Fallback and Libraries: When to Use Socket.IO
Raw WebSockets are lightweight and ideal for custom game protocols, but they lack built-in reconnection, rooms, and fallback to long polling for environments that block WebSockets (e.g., enterprise proxies). Socket.IO is a popular library that wraps WebSockets with these features and adds an event-based messaging system. It also automatically degrades to HTTP long polling when WebSockets are unavailable. For quick prototyping or teams that don't need maximum performance, Socket.IO can accelerate development. However, for a game with tight latency requirements and binary data, raw WebSockets (or a thin abstraction) often give better control.
Conclusion
Building a real-time multiplayer game with JavaScript and WebSockets is an intricate but achievable task. The foundation is a robust WebSocket server that manages rooms and authoritative state, complemented by a client that handles reconnection and predictive rendering. Essential techniques like interpolation, lag compensation, and server-side validation turn a laggy prototype into a responsive, fair game. By understanding these concepts and using the right tools, you can create multiplayer experiences that perform reliably at scale—whether you're building a competitive shooter or a cooperative adventure.
Start small, test with a few players, and iterate on synchronization and performance. Real-time networking is a vast field; continue learning from resources like Gaffer on Games and the MDN WebSockets API documentation.