Jump to content

  • Log In with Google      Sign In   
  • Create Account


Game Login throught a forum


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
8 replies to this topic

#1 ramdy   Members   -  Reputation: 139

Like
0Likes
Like

Posted 13 March 2011 - 03:53 PM

Hello all,

Would be a good idea "delegating" your player login tasks to a forum (let's say simple machines forum)? When players login to game they would be also login to forum where "login form" would be wrapped into a GUI inside game. Tasks like account creation, remember/change password would be done also by forum and well, player could of course use also the forum for community.

Thanks,
Jorge R.

Sponsor:

#2 hplus0603   Moderators   -  Reputation: 4906

Like
0Likes
Like

Posted 14 March 2011 - 12:56 PM

Yes, this can be done. There are several ways of doing this:

1) expose the forum database to the game server, and verify the name/password separately
2) expose the forum login function as a service, and RPC to the forum to log in
3) use OpenID or OAuth or OAuth2.0 to sign in through the forum, assuming the forum can be a provider for those protocols
enum Bool { True, False, FileNotFound };

#3 ramdy   Members   -  Reputation: 139

Like
0Likes
Like

Posted 01 April 2011 - 01:12 AM

What about 1 and 2? I explain:

1. Client application makes a login to the forum (throught http-request embebded into client app) where forum returns result and a sessionId. (SSL)
2. After succesful answer from forum, client connects to GameServer sending: user, hash(sessionId+password)
3. GameServer, which is in same room than Login Server (forum), query forum database, login in client if all Ok.

Once client is loged in to keep validating client, IP checks seems a good idea but would client still need to keep sending on each communication the hash(sessionId+password)?

In general would this be a safe system?

Thanks again,
Jorge R.

#4 Drew_Benton   Crossbones+   -  Reputation: 1713

Like
1Likes
Like

Posted 01 April 2011 - 07:13 AM

In general would this be a safe system?


As long as you implement it properly, yes, it should be pretty safe.

Square Enix uses such a system to handle their logins for Final Fantasy 14. There are many other games that do similar as well, but that's just one example I remember offhand.

However, additional security measures are always needed to help protect users' accounts against "unauthorized access" arising from their own faults and not from your system. The idea nowadays is, even if someone should have their account name and password compromised, the account should not be able to be compromised so easily since additional validation checks would be required to unlock the account. Blizzard uses some access time pattern heuristics to help, checks computer specs and IP for example. Other games require a PIN number to access specific characters once you login.

So there's a lot you can do but having a secure login process is only the beginning of such a system.

"But I, being poor, have only my dreams. I have spread my dreams under your feet; tread softly, because you tread on my dreams." - William Butler Yeats

#5 hplus0603   Moderators   -  Reputation: 4906

Like
2Likes
Like

Posted 01 April 2011 - 11:58 AM

1. Client application makes a login to the forum (throught http-request embebded into client app) where forum returns result and a sessionId. (SSL)
2. After succesful answer from forum, client connects to GameServer sending: user, hash(sessionId+password)
3. GameServer, which is in same room than Login Server (forum), query forum database, login in client if all Ok.



You might want to read my article on authentication for games, too. There I recommend using a shared secret between forum and game server, meaning the game server doesn't need to actually verify back to the forum once it gets a signed token.

Another option is the client sending username+password to the game server, and the game server verifying name+password with the forum database.
enum Bool { True, False, FileNotFound };

#6 ramdy   Members   -  Reputation: 139

Like
0Likes
Like

Posted 02 April 2011 - 02:12 AM

You might want to read my article on authentication for games, too. There I recommend using a shared secret between forum and game server, meaning the game server doesn't need to actually verify back to the forum once it gets a signed token.

Hi, I readed it a while ago, very good article. (I will review it)
Couldn't be used the sessionId given by the forum as a token?
client login to forum and receives the sessionId.
cilent login to game server sending: user-plain-, password-hash- + sessionId-hash-
gameserver check forum DB for the user, generates a hash: password+sessionId with DB info and checks with received by client, if matching, login ok.

This way you gain client will send a different hash on each login.

Another option is the client sending username+password to the game server, and the game server verifying name+password with the forum database.

if client login directly to the forum throught embebded http-request you get a free sessionId by forum. Also, if gameserver doing the http-request it would be slower than querying it.

#7 hplus0603   Moderators   -  Reputation: 4906

Like
0Likes
Like

Posted 02 April 2011 - 09:59 AM

if client login directly to the forum throught embebded http-request you get a free sessionId by forum. Also, if gameserver doing the http-request it would be slower than querying it.


A session id, by itself, is not terribly useful. Generally, you don't want the same user to be logged in from more than one place at the same time, so you can easily tie your "session id" to your user id.

You can create login tokens that are only good for a short amount of time, and thus vary, by adding a timestamp to the hashed token you generate on login. That way, the game server doesn't need to "verify" anything with the forum server at all.

It's unclear to me whether you're using a persistent connection for the game data, or are trying to carry the game data over HTTP, though. If you will be establishing a lot of connections (a la HTTP Comet-style) you will probably either want to re-generate login tokens with each request, or perhaps better, use HTTPS, to avoid the "firesheep" type of session theft attack.
enum Bool { True, False, FileNotFound };

#8 ramdy   Members   -  Reputation: 139

Like
0Likes
Like

Posted 02 April 2011 - 10:37 AM

You can create login tokens that are only good for a short amount of time, and thus vary, by adding a timestamp to the hashed token you generate on login. That way, the game server doesn't need to "verify" anything with the forum server at all.

Could you explain this "for dummies"? :) Can't figure how would be possible game server no need to verify at forum db.

It's unclear to me whether you're using a persistent connection for the game data, or are trying to carry the game data over HTTP, though. If you will be establishing a lot of connections (a la HTTP Comet-style) you will probably either want to re-generate login tokens with each request, or perhaps better, use HTTPS, to avoid the "firesheep" type of session theft attack.

Basically you need to login twice.
1. http-post with the forum.
2. persistent connection with the game server.

#9 hplus0603   Moderators   -  Reputation: 4906

Like
1Likes
Like

Posted 02 April 2011 - 03:12 PM

Could you explain this "for dummies"?


That's what the articule about authentication for game serversdoes.
enum Bool { True, False, FileNotFound };




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS