terrence said:
My thought is to store them in a plain text file, but I am wondering if there is a better way to store these information, because I see a lot of save files/replays from other games are in certain format (different suffix which cannot be read directly, encoded?)
Depends on the information, and how much data it is. If you want a user to read it or modify it in a sane way in their own text editor, you obviously have to generate text. However, converting text back to machine-readable information (known as ‘parsing’) needs at least work, and can be hard, depending on the text format that you use.
The simpler form from a game implementor point of view is to directly write out the data stored in memory that contains the history. Reading it again is then a matter of loading the same file back into the same spot, and done!
Non-text output may also happen if you have a lot of data, you can push the stream through a compression program to reduce file storage requirements.
The disadvantage of a non-text file is that you cannot simply read the output without needing another program for it.
File-extension is a simple way to deter in-experienced people from tampering with the files. Eg Windows tends to trust the extension blindly. Having a unique extension also means a user can click the file, and it will trigger running your program.
Security is a concern here though, anything you read may have been tampered with, and that includes text files and other forms of data storage. For replay-files it is likely not a bad thing if a user modifies the log, although you should still be aware if may have been changed to exploit a bug in your program. You can add checksums or even sign the data file, but it's not preventing tampering, it just makes it less simple.
terrence said:
When one player decides to move/attack/place cards on the board, should the validation of legitimacy of each move be done on the server side and send result back to each client or just directly on client side? If on the client side, is it possible that each client have different result
As a general principle, don't trust data you read from any source. Above, it was about files, but reading from the network is equally dangerous. You may think you are talking to your own program, but in fact you don't actually know. Any program that sends back sane data to you cannot be distinguished from your program.
I can monitor and modify network packets on the way to your server, or even write a completely new program designed to hack the game.
As for checks, assume you do it on the client side. It is a matter of time until you will receive an illegal move at your server. That may happen either due to a bug in your client program, some network failure (not sure it can happen, but assume it can), a bug in your server program, someone trying to hack the system, or something else. Now what will you do?
Similarly, yes, it is a matter of time until clients reach an inconsistent state. It may happen due to timing differences, or bugs, or something else. As such you should have a fallback scenario to deal with that case.