Sign in to follow this  
Oliver Sch

Prevent Unauthorized Access to Server.

Recommended Posts

Oliver Sch    141
I am making a Multiplayer Game in Javascript with Socket.IO / nodeJS.

Since JavaScript is to easy to access for everyone;

I would like to know if someone could simply Copy the source code of my Game.
Then paste the code on his own website.
And access my Server via his website since he has my server IP now?

Share this post


Link to post
Share on other sites
Oliver Sch    141
I found this article:

[url="http://en.wikipedia.org/wiki/Same_origin_policy"]http://en.wikipedia....e_origin_policy[/url]

But what if the server is not hosted by my website host company? Edited by Schoening

Share this post


Link to post
Share on other sites
DangerDoom    1103
Do you plan on implementing some sort of login process? You can't really prevent anyone from sending requests to your server, but you can return a 403 error to users who aren't logged in.

Share this post


Link to post
Share on other sites
Oliver Sch    141
I do plan a login !

I still do not understand how Same Origin Policy works..


I made a server on my Computer, but was able to access it via my Client that was on DropBox.. Doesn't that go against the Same Origin Policy?

Share this post


Link to post
Share on other sites
DangerDoom    1103
If I'm not mistaken, Same Origin Policy is enforced by the browser on scripting languages.
So I can write a console application and send requests to your server, but if I tried it through an AJAX call in JavaScipt, then I should get an error...
If I put your site in an iframe and tried to access that iframe using JavaScript, then I should get an error...

Just remember that it is not enforced by your server, it is enforced in the browser.

Share this post


Link to post
Share on other sites
RanBlade    731
Generally speaking from my experience. If the html file is being served the socket.io.js file from your server

i.e.
[source lang="jscript"]<script src="http://yourdomainhere.com/node_modules/socket.io/node_modules/socket.io-client/dist/socket.io.js"></script>[/source]

Then it will connect to your server. This really isn't a problem as long as you have a login system. If you have a login system the only data they can recieve is data that is sent to all clients that is suppose to be public and any data it sends that has to be logged in tehy would need to log in. If your server checks for bad data then even if they modify the page to send "hack/cheat" data your server should see that and kick them off.

I have found that if you do the realtive path for serving the socket.io.js file then if the page is not coming from your hosting server then it will not connect. (This could be a bug in node.js/socket.io and it may not work like this for everyone) but if I do realtive path then move the client to another host(making no changes), and try to connect it will not connect.

[source lang="jscript"]<script src="../node_modules/socket.io/node_modules/socket.io-client/dist/socket.io.js"></script>[/source]



I hope this helps. Let me know if you have anymore questions. Edited by RanBlade

Share this post


Link to post
Share on other sites
slayemin    6088
[quote name='Schoening' timestamp='1351436980' post='4994725']
I am making a Multiplayer Game in Javascript with Socket.IO / nodeJS.

Since JavaScript is to easy to access for everyone;

I would like to know if someone could simply Copy the source code of my Game.
[/quote]
Yes. They can just do view->source and follow the src urls to grab the JS files.

[quote]
Then paste the code on his own website.
[/quote]
Yes, they could certainly do that. They don't even need a webserver, they can just copy and run the code from their desktop.

[quote]
And access my Server via his website since he has my server IP now?
[/quote]
They don't even need to download your code to find your server IP. All they need to do is run "netstat" or, just ping your domain name (DNS will resolve your name to an IP). Think of your IP as a street address which is publicly visible. Who cares who knows your address when you've got a lock on the door?

Now, you do NOT want to do username and password authentication in Javascript. Javascript is a client side scripting language, so assume that your users will be able to read all of your code. You want to do user validation on the serverside through a server side scripting language, such as PHP, ASP, etc. Ideally, the usernames and passwords are stored in a database as hashed values. Your server side validation script will verify that the refering URL is your own domain, then it will grab the username and password, hash them, and then connect to the database and see if there's a stored hash match. If a match is found, the user is authenticated and you can start a server side session in order to maintain state variables between pages. I've barely hit the wavetops on how to do web security (good security will handle SQL injection attacks, start an HTTPS session before sending account info across the wire, etc).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this