Jump to content

Recommended Posts

Posted (edited)

🚀 L2JOne Website System — Features & Security Overview

📌 Overview

The L2JOne Website System is a complete platform designed for Lineage 2 servers, providing account management, donation processing, game integration, automation tools, and advanced security protections.

 

Built with a focus on:

  • Security
  • Performance
  • Automation
  • Scalability
  • Easy Administration

🎮 Player Features

✔ Account Registration

  • Direct account creation from the website
  • Game database integration
  • Data validation
  • Optional email verification
  • Google reCAPTCHA protection

✔ Secure Login System

  • Protected user sessions
  • Automatic Session ID regeneration
  • Session Fixation protection
  • Secure logout

✔ Player Control Panel

  • Ticket balance management
  • Purchase history
  • Transfer history
  • Character selection
  • Automatic item delivery

✔ Account Recovery

  • Email-based recovery
  • Temporary recovery tokens
  • Automatic token expiration

💰 Donation System

Supported Payment Gateways

Mercado Pago

  • PIX
  • Credit Card
  • Debit Card

Stripe

  • International credit cards

PayPal

  • Worldwide payments

Binance Pay

  • Cryptocurrency payments

⚡ Automated Credit Delivery

Once a payment is confirmed:

  1. Gateway validates the transaction.
  2. Webhook signature is verified.
  3. Order is marked as completed.
  4. Credits are added to the player's balance.
  5. Player transfers credits to a character.
  6. Items are automatically delivered in-game.

No manual intervention required.


🎁 Coupon System

  • Percentage discounts
  • Fixed value discounts
  • Usage limits
  • Expiration dates
  • Minimum purchase requirements

🎟 Ticket System

  • Internal virtual currency
  • Item conversion system
  • Administrative adjustments
  • Full transaction history
  • Balance management

📊 Administrative Dashboard

Real-Time Statistics

  • Total revenue
  • Daily revenue
  • New registrations
  • Total purchases
  • Pending payments
  • Approved payments

Reports

  • Sales reports
  • Financial reports
  • Player activity reports
  • Transfer history

Interactive Charts

  • Revenue growth
  • Daily earnings
  • Monthly earnings
  • Visitors by country
  • Payment distribution

🌍 Analytics System

  • Visitor countries
  • Browser statistics
  • Operating systems
  • Device tracking
  • Access history

📰 News Management System

  • Unlimited news posts
  • Featured images
  • HTML editor support
  • Homepage highlights

🎥 Video & Streaming System

Supports:

  • YouTube
  • Twitch
  • Kick
  • Custom stream embeds

⏳ Countdown System

  • Launch countdown timer
  • Configurable date and time
  • Timezone support
  • Homepage integration

📥 Download Center

Fully configurable:

  • Game Client
  • Official Patch
  • Mirror Downloads
  • Torrent Downloads
  • External Download Links

📱 Social Media Integration

  • Discord
  • Facebook
  • Instagram
  • Telegram
  • YouTube

🔒 Security Layer

CSRF Protection

All forms include:

  • Unique security tokens
  • Mandatory validation
  • Automatic expiration

Protects against:

  • Cross-Site Request Forgery (CSRF)

Google reCAPTCHA Protection

Integrated Google reCAPTCHA v3

Protects against:

  • Bots
  • Automated registrations
  • Brute-force attacks

Session Security

  • Session ID regeneration
  • HttpOnly cookies
  • SameSite cookie protection
  • Secure cookie support

Protects against:

  • Session hijacking
  • Session fixation attacks

Upload Protection

Sensitive file types are blocked:

  • .sql
  • .sqlite
  • .log
  • .pem
  • .key

Directory Protection

Direct access denied to:

  • config/
  • private/
  • storage/
  • cli/
  • database/

Unauthorized access is blocked.


Anti-Replay Protection

Financial callbacks include:

  • Signed timestamps
  • Expiration windows
  • One-time validation

Protects against:

  • Payment replay attacks
  • Duplicate transaction processing

Webhook Security

  • HMAC signature validation
  • Shared secret verification
  • Mandatory request authentication

Protects against:

  • Fake payment notifications
  • Fraudulent credit generation

Duplicate Payment Prevention

Built-in:

  • Idempotency control
  • Transaction reference validation
  • Payment status verification

Prevents:

  • Double credits
  • Repeated processing

SQL Injection Protection

Secure database layer using:

  • PDO
  • Prepared Statements
  • Parameter Binding

No unsafe SQL concatenation.


XSS Protection

Output sanitization through:

  • HTML escaping
  • Input filtering

Protects against:

  • Cross-Site Scripting (XSS)
  • Session theft

Licensing Protection

Centralized licensing system with:

  • Unique license key
  • Unique secret key
  • Remote validation
  • Domain verification
  • Heartbeat monitoring

Anti-Cloning Protection

Licenses are linked to:

  • Authorized domain
  • Unique credentials
  • Central validation server

Unauthorized domain usage can be automatically blocked.


⚙ Administrative Tools

User Management

  • Create accounts
  • Edit accounts
  • Suspend users
  • Adjust balances

Financial Management

  • Approve transactions
  • Cancel orders
  • Financial reports

Content Management

  • News management
  • Download management
  • Video management
  • Social media management

Global Settings

  • Rates configuration
  • Countdown management
  • Payment gateway settings
  • License management

🚀 Technology Stack

  • PHP 8+
  • MySQL 9+ / MariaDB 11+
  • Bootstrap 5.3.8
  • AdminLTE 4..0.2
  • Mercado Pago SDK
  • Stripe SDK
  • PayPal API
  • Binance Pay API
  • Google reCAPTCHA v3
  • PDO Secure Database Layer

🛡 Final Result

The L2JOne Website System delivers a professional-grade solution for Lineage 2 servers, combining:

✅ Modern Administrative Dashboard
✅ Advanced Donation System
✅ Automatic In-Game Delivery
✅ Real-Time Statistics
✅ Centralized Licensing Platform
✅ Financial Fraud Protection
✅ SQL Injection Protection
✅ XSS Protection
✅ CSRF Protection
✅ Anti-Replay Security
✅ Anti-Cloning Protection

A complete, secure, and scalable platform built for professional Lineage 2 server operations

DEMO SITE: 
"My Site" - Lineage II

I am currently studying programming in
 Trybe | Cursos de Inteligência Artificial e Tecnologia

Price: 150 USDT

Payment methods: Crypto using the Tron network or PayPal (you pay an administrative fee).
You can choose to pay a monthly fee to get new features or stick with your current version with security updates! The maintenance fee is only 30 USDT per month.


Customers currently using my website: http://www.l2shadowwars.com/


                                                                                                       Panel Admin:   
EfTxxEA.png 

7MLKNk6.png 

LWL92XX.png 

 

Database WebSIte


RjHTF39.png 

 

PANEL PLAYER

NdJ9d4z.png 

 

StartPack

XXYlD9m.png 

 

Edited by Williams
Posted

SXle0QZ.png 
 

Updates

- Added synchronized language system with Google Translate.
- Added graphical dashboard to track website visits.
- Added graphical donation dashboard.
- Added DDoS attack redirection.
- Added WhatsApp confirmation via Facebook Meta API.
- Fixed: Emails to Hotmail are no longer sent to spam but to the main inbox.

Posted

GAAwH5b.png 
Update:

  • - Added Google OAuth API.
  • - Added WhatsApp API (via Meta).
  • - Added multiple templates (34 layouts in total).
  • - Added CSS protections.
  • - Added new email/WhatsApp confirmation page.
  • - Added bcrypt encryption for aCis 409.
  • - Added support for L2jMobius / Lucera2.
  • - Added charts for registrations/visits by country.
  • - Added limits on confirmation resends.

Fixes:

  1. - Fixed Russian language system.
  2. - Fixed Stripe checkouts.

 

  • 2 weeks later...
Posted

Update:

Advanced Rate Limiting

Rate limiting is now applied to:

  • Login attempts

  • Account registration

  • Password recovery

  • Email confirmation resends

  • WhatsApp verification

  • Checkout access

The system maintains independent counters by IP address and user identity, helping prevent traditional brute-force attacks as well as distributed credential-stuffing attempts using multiple proxies.

Brute-Force and Credential-Stuffing Protection

Protection is not limited to the visitor's IP address.

The system also tracks attempts associated with the account, username, or email address, reducing the effectiveness of attacks performed through rotating IP addresses, proxies, or VPN services.

Global HTTP Security Headers

Security headers are applied across the entire website:

  • X-Frame-Options

  • X-Content-Type-Options

  • Referrer-Policy

  • HTTP Strict Transport Security

These headers help protect the website against clickjacking, MIME-type confusion, insecure referrer exposure, and HTTP downgrade attempts.

Secure Error Handling

Internal exceptions are recorded in protected security logs while visitors receive sanitized error messages.

This prevents the accidental exposure of:

  • Internal file paths

  • Database information

  • SQL errors

  • Server configuration

  • Application stack traces

Private Storage Exposure Monitoring

The system automatically checks whether the private storage directory is publicly accessible in production.

If exposure is detected, a security warning is recorded for the administrator without interrupting the website.

This directory may contain licensing information, rate-limit records, and security logs and must never be publicly accessible.

OAuth Request Protection

Google and Facebook authentication flows use cryptographically random state values stored in the user's session.

Returned state values are validated using constant-time comparison, helping prevent OAuth request forgery and unauthorized account-linking attacks.

Telegram Authentication Validation

Telegram login information is protected through:

  • HMAC signature validation

  • Constant-time hash comparison

  • Authentication timestamp verification

  • Expired-login rejection

Secure Verification Tokens

Email, password recovery, and WhatsApp verification systems include:

  • Cryptographically secure random tokens

  • Hashed WhatsApp verification codes

  • Automatic expiration

  • Limited verification attempts

  • Resend cooldowns

  • One-time token invalidation

Account Activation Protection

When email or WhatsApp verification is required, the game account remains restricted until all required verification steps are completed.

Unverified users cannot bypass the confirmation process through standard or social login.

Secure Upload Processing

Administrative image uploads include:

  • Real MIME-type inspection

  • Image-content validation

  • File-size limits

  • Extension allowlists

  • Server-generated random filenames

  • Rejection of invalid or disguised files

Original user-provided filenames are never used as the final stored filename.

Path Traversal Protection

Theme and template identifiers are restricted to validated slugs and must exist in the internal list of allowed themes.

This prevents directory traversal and unauthorized local-file access through manipulated template names.

Atomic Ticket Transfer Protection

Ticket transfers use transactional and durable delivery processing.

The balance is conditionally debited, the delivery is recorded before communication with the game database, and failed deliveries remain pending for safe reprocessing.

This helps prevent:

  • Free-item delivery

  • Inconsistent balances

  • Duplicate delivery

  • Partial transaction failures

  • Lost transfer records

Concurrent Balance Protection

Administrative balance adjustments use database transactions and row-level locking.

This prevents simultaneous balance operations from overwriting each other or creating inconsistent account balances.

Secure Redirect Handling

Redirect values are sanitized against header injection, and external redirects are restricted to HTTPS destinations.

Password Security Improvements

The website uses modern password hashing for player-panel accounts and bcrypt with a configurable cost for supported game-server account systems.

Compatibility is included for game-server implementations requiring the $2a$ bcrypt prefix.

Duplicate Payment Prevention

Built-in protections include:

  • Idempotency control

  • Transaction reference validation

  • Payment status verification

  • Unique external payment references

  • Database transactions and rollback

  • Durable payment history

  • Completed-order verification

These protections prevent:

  • Double credits

  • Repeated processing

  • Duplicate payment callbacks

  • Incomplete financial operations

Signed Payment Callback Protection

Payment callbacks are protected through:

  • HMAC-SHA256 authentication

  • Constant-time signature comparison

  • Signed callback timestamps

  • Callback freshness validation

  • Shared callback secrets

This helps prevent forged payment notifications, callback manipulation, and replay attacks.

SQL Injection Protection

The database layer uses:

  • PDO

  • Prepared statements

  • Parameter binding

  • Controlled internal allowlists for dynamic identifiers

User-controlled values are not directly concatenated into SQL queries.

XSS Protection

Output and form data are protected through:

  • HTML escaping

  • Attribute escaping

  • Input filtering

  • HttpOnly session cookies

  • MIME-sniffing protection

  • Frame embedding restrictions

These measures reduce the risk of Cross-Site Scripting, malicious HTML injection, session theft, and clickjacking.

CSRF Protection

Sensitive forms and administrative operations use session-based CSRF tokens.

Requests without a valid token are rejected, helping prevent unauthorized actions performed through malicious external websites.

Secure Session Protection

The session system includes:

  • HttpOnly cookies

  • Secure cookie support

  • SameSite restrictions

  • Session ID regeneration

  • Authentication state validation

  • Session timeout controls

These protections reduce the risks of session fixation, session theft, and unauthorized account reuse.

reCAPTCHA Protection

Google reCAPTCHA may be enabled on sensitive public forms to reduce:

  • Automated account registrations

  • Spam submissions

  • Bot login attempts

  • Automated password recovery abuse

Confirmation Resend Limits

Email and WhatsApp confirmation resends are protected through:

  • Cooldown periods

  • Rate limiting

  • Expiring verification codes

  • Attempt counters

This prevents verification-message flooding and excessive external API usage.

Licensing and Anti-Cloning Protection

The website includes centralized licensing controls with:

  • License-key validation

  • Domain binding

  • Signed license responses

  • Cached license validation

  • Temporary offline grace period

  • Circuit-breaker protection

  • Unauthorized-domain rejection

These measures help prevent unauthorized installation, cloning, and redistribution of the system.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Posts

    • I have a highly customized Hi5 pack based on L2JMobius with a lot of features for performance and modern game design. Disclaimer: I do not run any public server, but I run a "private" server for a group of 10 friends and about 2000 AI bots that required me to do heavy modifications on core systems of the game.  So my opinion will obivously be biased towards L2JMobius.   What I can tell you though without bias is: Most of the features you are asking for are nowadays considered de-facto, don't pay money for them. TvT, offline mode, community boards, premiums, vote rewards are in most packs including the open source ones. So before you pay a thousand plus euro for a pack ask yourself what you are paying that money for, that open source packs don't have.   Also a lot of the "strong points" some old packs were made for are nowadays obsolete. L2JFree derived packs for example used to have a lot of GC optimizations (Trove library) which are not not maintained, but most importantly not needed cause Java has evolved a lot since then and the performance issues these tricks tried to solve back then, are currently solved by Java's JVM itself. So if someone tries to sell you packed / unpacked integers in special hashmap data structures and other such things know that they have really lost their value nowadays.    A lot of people are selling thin air, things that everyone has. "Quality geodata" being one of them. I mean what's "quality geodata" ? Has someone painted them by hand ? Hell there's an online tool for free in github that extracts quality geodata, I think Galagard made it ? In contrast I'll tell you without wanting to boast about it that I use 3D navmesh on my project because 2000 bots could not pathfind large distances on A* on geodata. As far as I know, L2JMobius has it in its subscription version too. So if I could do an acceptable transition to navmesh from geodata in a week alone, I would assume that a decent pack with dedicated developers could do it better and faster. Red flag if someone still tries to sell you geodata in 2026.   Multi-protocol support gives small value and is a high risk.   I would not go for multi-protocol support for a public server cause you are locking yourself to specific providers and the functionality they support. If you need to change (eg pricing issues), you will be locked to a handful of providers. And what are you really gaining from a new client on an old game version ? Better UI ? The engine is still the same, static targeting and menus.    Agentic AI will make old hard features easy to implement, and drop their money value. Pay for AI-proof value. And compared to what most insecure devs claim, its a very powerful tool that allows those who know how to use it to accelerate their development. So a lot of features that took in the past a lot of time and effort to be developed and were a reason to charge money, are becoming a commodity today. So think to: The thing I am paying money for right now, how easy will it be to implement in a year from now ? If for example you are paying money for a game launcher that Claude Code can generate in top 1 hour without issues, I think you are wasting money.    I want to emphasise this a lot. Software engineering is in a transition atm. Most things that were mediocre to implement, launchers, guards, CMS, are nowadays easy. Yet the dev community continues to market them as premium content. They are not, sooner or later, when everyone starts selling them, they will realize that they will have to offer value in more complex features.  Private or public ? Bottom line is that a private pack and 1000 euro wont get you a sucessful server. You're the one that make it or break it. There have been many sucessful servers both in private packs and public packs in the past. It's really on the hands of the beholder, not on the source. A pack that plays good is a good indicator to buy as Trance said, but I would disagree that it's not enough. A server owner is not a player. He's a business man and has to account for longevity, vendor lock-in, expandability, hidden costs,  amortization, price changes and many more. Don't pick a pack based on how it played only.    
    • You don’t even need to look for a ghost project. Just buy the files from a project you’ve personally tested or played. That’s a much better starting point.
    • TG Support: https://t.me/buyingproxysup | Channel: https://t.me/buyingproxycom Discord support: #buyingproxy | Server: Join the BuyingProxy Discord Server!  Create your free account here
    • You have to put deep inside your pocket for something like this, for sure 😄
    • Hello everyone, I'm looking for a High Five Java server pack for a long-term project. I'm not looking for free packs. I'm interested in purchasing a professional pack with full source code if it's worth the investment. My priorities are: Stable core Clean and well-structured source code Good geodata and AI Modern Community Board Offline Trade / Offline Craft Premium Account system Vote Reward system Auto Events (TvT, CTF, DM, etc.) HWID protection Auto Farm  Buffer / QoL systems Modern admin tools Good Olympiad & Seven Signs implementation Excellent instance support (Freya, Frintezza, Zaken, Beleth, etc.) A huge bonus would be: Multi-protocol support (High Five + newer clients such as Salvation/Classical clients) Full source code (no closed binaries) Some custom things over Elegia At the moment I'm considering packs like Sunrise and L2-Scripts, but I'd really like to hear opinions from people who have actually worked with them. If you've been running a serious High Five project, I'd appreciate your honest feedback: Which pack are you using? What are its strengths and weaknesses? Would you buy it again? Are there any better alternatives available today? I'm looking for real experience rather than advertisements. Thanks!
  • Topics

×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..