• Announcements

    • khawk

      Download the Game Design and Indie Game Marketing Freebook   07/19/17

      GameDev.net and CRC Press have teamed up to bring a free ebook of content curated from top titles published by CRC Press. The freebook, Practices of Game Design & Indie Game Marketing, includes chapters from The Art of Game Design: A Book of Lenses, A Practical Guide to Indie Game Marketing, and An Architectural Approach to Level Design. The GameDev.net FreeBook is relevant to game designers, developers, and those interested in learning more about the challenges in game development. We know game development can be a tough discipline and business, so we picked several chapters from CRC Press titles that we thought would be of interest to you, the GameDev.net audience, in your journey to design, develop, and market your next game. The free ebook is available through CRC Press by clicking here. The Curated Books The Art of Game Design: A Book of Lenses, Second Edition, by Jesse Schell Presents 100+ sets of questions, or different lenses, for viewing a game’s design, encompassing diverse fields such as psychology, architecture, music, film, software engineering, theme park design, mathematics, anthropology, and more. Written by one of the world's top game designers, this book describes the deepest and most fundamental principles of game design, demonstrating how tactics used in board, card, and athletic games also work in video games. It provides practical instruction on creating world-class games that will be played again and again. View it here. A Practical Guide to Indie Game Marketing, by Joel Dreskin Marketing is an essential but too frequently overlooked or minimized component of the release plan for indie games. A Practical Guide to Indie Game Marketing provides you with the tools needed to build visibility and sell your indie games. With special focus on those developers with small budgets and limited staff and resources, this book is packed with tangible recommendations and techniques that you can put to use immediately. As a seasoned professional of the indie game arena, author Joel Dreskin gives you insight into practical, real-world experiences of marketing numerous successful games and also provides stories of the failures. View it here. An Architectural Approach to Level Design This is one of the first books to integrate architectural and spatial design theory with the field of level design. The book presents architectural techniques and theories for level designers to use in their own work. It connects architecture and level design in different ways that address the practical elements of how designers construct space and the experiential elements of how and why humans interact with this space. Throughout the text, readers learn skills for spatial layout, evoking emotion through gamespaces, and creating better levels through architectural theory. View it here. Learn more and download the ebook by clicking here. Did you know? GameDev.net and CRC Press also recently teamed up to bring GDNet+ Members up to a 20% discount on all CRC Press books. Learn more about this and other benefits here.
Sign in to follow this  
Followers 0
ramdy

Game Login throught a forum

8 posts in this topic

Hello all,

Would be a good idea "delegating" your player login tasks to a forum (let's say simple machines forum)? When players login to game they would be also login to forum where "login form" would be wrapped into a GUI inside game. Tasks like account creation, remember/change password would be done also by forum and well, player could of course use also the forum for community.

Thanks,
Jorge R.
0

Share this post


Link to post
Share on other sites
Yes, this can be done. There are several ways of doing this:

1) expose the forum database to the game server, and verify the name/password separately
2) expose the forum login function as a service, and RPC to the forum to log in
3) use OpenID or OAuth or OAuth2.0 to sign in through the forum, assuming the forum can be a provider for those protocols
0

Share this post


Link to post
Share on other sites
What about 1 and 2? I explain:

1. Client application makes a login to the forum (throught http-request embebded into client app) where forum returns result and a sessionId. (SSL)
2. After succesful answer from forum, client connects to GameServer sending: user, hash(sessionId+password)
3. GameServer, which is in same room than Login Server (forum), query forum database, login in client if all Ok.

Once client is loged in to keep validating client, IP checks seems a good idea but would client still need to keep sending on each communication the hash(sessionId+password)?

In general would this be a safe system?

Thanks again,
Jorge R.
0

Share this post


Link to post
Share on other sites
[quote name='ramdy' timestamp='1301641932' post='4792926']
In general would this be a safe system?
[/quote]

As long as you implement it properly, yes, it should be pretty safe.

Square Enix uses such a system to handle their logins for Final Fantasy 14. There are many other games that do similar as well, but that's just one example I remember offhand.

However, additional security measures are always needed to help protect users' accounts against "unauthorized access" arising from their own faults and not from your system. The idea nowadays is, even if someone should have their account name and password compromised, the account should not be able to be compromised so easily since additional validation checks would be required to unlock the account. Blizzard uses some access time pattern heuristics to help, checks computer specs and IP for example. Other games require a PIN number to access specific characters once you login.

So there's a lot you can do but having a secure login process is only the beginning of such a system.
1

Share this post


Link to post
Share on other sites
[quote name='ramdy' timestamp='1301641932' post='4792926']
1. Client application makes a login to the forum (throught http-request embebded into client app) where forum returns result and a sessionId. (SSL)
2. After succesful answer from forum, client connects to GameServer sending: user, hash(sessionId+password)
3. GameServer, which is in same room than Login Server (forum), query forum database, login in client if all Ok.
[/quote]


You might want to read my [url="http://www.mindcontrol.org/~hplus/authentication.html"]article on authentication for games[/url], too. There I recommend using a shared secret between forum and game server, meaning the game server doesn't need to actually verify back to the forum once it gets a signed token.

Another option is the client sending username+password to the game server, and the game server verifying name+password with the forum database.
2

Share this post


Link to post
Share on other sites
[quote] You might want to read my [url="http://www.mindcontrol.org/~hplus/authentication.html"][color="#284b72"]article on authentication for games[/color][/url], too. There I recommend using a shared secret between forum and game server, meaning the game server doesn't need to actually verify back to the forum once it gets a signed token.[/quote]
Hi, I readed it a while ago, very good article. (I will review it)
Couldn't be used the sessionId given by the forum as a token?
client login to forum and receives the sessionId.
cilent login to game server sending: user-plain-, password-hash- + sessionId-hash-
gameserver check forum DB for the user, generates a hash: password+sessionId with DB info and checks with received by client, if matching, login ok.

This way you gain client will send a different hash on each login.

[quote]Another option is the client sending username+password to the game server, and the game server verifying name+password with the forum database.[/quote]
if client login directly to the forum throught embebded http-request you get a free sessionId by forum. Also, if gameserver doing the http-request it would be slower than querying it.
0

Share this post


Link to post
Share on other sites
[quote name='ramdy' timestamp='1301731962' post='4793426']
if client login directly to the forum throught embebded http-request you get a free sessionId by forum. Also, if gameserver doing the http-request it would be slower than querying it.
[/quote]

A session id, by itself, is not terribly useful. Generally, you don't want the same user to be logged in from more than one place at the same time, so you can easily tie your "session id" to your user id.

You can create login tokens that are only good for a short amount of time, and thus vary, by adding a timestamp to the hashed token you generate on login. That way, the game server doesn't need to "verify" anything with the forum server at all.

It's unclear to me whether you're using a persistent connection for the game data, or are trying to carry the game data over HTTP, though. If you will be establishing a lot of connections (a la HTTP Comet-style) you will probably either want to re-generate login tokens with each request, or perhaps better, use HTTPS, to avoid the "firesheep" type of session theft attack.
0

Share this post


Link to post
Share on other sites
[quote]You can create login tokens that are only good for a short amount of time, and thus vary, by adding a timestamp to the hashed token you generate on login. That way, the game server doesn't need to "verify" anything with the forum server at all.[/quote]
Could you explain this "for dummies"? :) Can't figure how would be possible game server no need to verify at forum db.

[quote]It's unclear to me whether you're using a persistent connection for the game data, or are trying to carry the game data over HTTP, though. If you will be establishing a lot of connections (a la HTTP Comet-style) you will probably either want to re-generate login tokens with each request, or perhaps better, use HTTPS, to avoid the "firesheep" type of session theft attack.[/quote]
Basically you need to login twice.
1. http-post with the forum.
2. persistent connection with the game server.
0

Share this post


Link to post
Share on other sites
[quote name='ramdy' timestamp='1301762236' post='4793523']
Could you explain this "for dummies"?[/quote]

That's what [url="http://www.mindcontrol.org/~hplus/authentication.html"]the articule about authentication for game servers[/url]does.
1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0