avoid standalone connection

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

macrotools
Posts: 24
Joined: 16 Nov 2007, 16:18

avoid standalone connection

Postby macrotools » 07 Mar 2008, 08:16

Hi,

May be it is a simple question but I really do not know the answer.

When developing I mostly connect to the server by the standalone player.

What if someone knows the domain and port that I use to connect SFS?

So may be he can write some AS, connect standalone and list all the rooms, users etc etc.

Is there any configuration or method to avoid this? Or is this really possible?

thanks
User avatar
BigFIsh
Posts: 1698
Joined: 25 Feb 2008, 19:26
Location: New Zealand

Postby BigFIsh » 07 Mar 2008, 09:21

Yea.. I was wondering about that.

I can easily access all the variables that has been defined in any .swf

1. Save .swf file to desktop
2. Open with Flash Mx
3. Debug > List Variables

I can find a ip address the .swf uses from there.

I just found out a way to avoid this... when publishing the flash file, make sure the option "Protect from import" is turned on and add a sexy long password.

:lol:
vaibhavsilar
Posts: 6
Joined: 28 Feb 2008, 10:30

Postby vaibhavsilar » 07 Mar 2008, 11:16

well this is not the proper way. because some can decompile it using swf decompiler and can use source file to connect with the server.

one way is to disable server methods such as, createroom, joinroom.
so these cannot be used from clients end. this can be achieved by editing config.xml. We have to add node <disableEvent/> and write the server methods which cannot be used from clients side. Please refer documentation.

you have to use server side plugins for creating rooms etc.

this is very secure method.
macrotools
Posts: 24
Joined: 16 Nov 2007, 16:18

Postby macrotools » 07 Mar 2008, 11:48

vaibhavsilar wrote:well this is not the proper way. because some can decompile it using swf decompiler and can use source file to connect with the server.

one way is to disable server methods such as, createroom, joinroom.
so these cannot be used from clients end. this can be achieved by editing config.xml. We have to add node <disableEvent/> and write the server methods which cannot be used from clients side. Please refer documentation.

you have to use server side plugins for creating rooms etc.

this is very secure method.



Is it really a secure way?

If someone decompiles my code, than she/he could see everything.
So I think he/she can sendXt Message to extensions etc.

Briefly, that person may do everything I do. Because he/she could connect to my SFS by standalone player, and see all my functions, just copy them, use the server plugin as I use etc etc.

Anything I am wrong? I wish to be wrong :)
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 10 Mar 2008, 07:11

So may be he can write some AS, connect standalone and list all the rooms, users etc etc.

Yes they can, but listing rooms and users isn't a particularly bad thing, unless they try to do something nasty.

In the 2nd part of "Building MMO Virtual Worlds" we describe a number of solutions that you can implement to better protect your application -> http://www.smartfoxserver.com/docs/docP ... mmo_p2.htm
(scroll to the middle of the article)
Lapo
--
gotoAndPlay()
...addicted to flash games
macrotools
Posts: 24
Joined: 16 Nov 2007, 16:18

Postby macrotools » 10 Mar 2008, 13:13

Lapo wrote:
So may be he can write some AS, connect standalone and list all the rooms, users etc etc.

Yes they can, but listing rooms and users isn't a particularly bad thing, unless they try to do something nasty.

In the 2nd part of "Building MMO Virtual Worlds" we describe a number of solutions that you can implement to better protect your application -> http://www.smartfoxserver.com/docs/docP ... mmo_p2.htm
(scroll to the middle of the article)


I'll take a look at that section.

Ok, listing is not importtant, he/she will only see some stupid room names :)

But what if I use an extension that disconnects specified user? :) Don't ask me why I use that, it's a long story.

--------------------------------------------------------------------------------

I took a look :) Ok this one seems interesting.

# With the latest Actionscript 3.0 you can transfer entire swf files as byte arrays through the socket. By doing so you will skip the browser cache and make it very hard to capture.


I will spin around this tecnique.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 10 Mar 2008, 14:25

Yep, you find a working example at chapter 8.17 of the docs

Bye
Lapo

--

gotoAndPlay()

...addicted to flash games
macrotools
Posts: 24
Joined: 16 Nov 2007, 16:18

Postby macrotools » 11 Mar 2008, 10:57

Lapo wrote:Yep, you find a working example at chapter 8.17 of the docs

Bye


Lapo how can I edit SocketFileLoader.java file?

EDIT :

OK, I have done it.

For those people who want to know solution is :

Code: Select all

javac -classpath jysfs.jar SocketFileLoader.java Base64.java


Don't forget the paths for jysfs.jar, SocketFileLoader.java and Base64.java

Javac requires version 48 of jysfs.jar but if you are using SFS 1.6.x you have to use the jysfs.jar of SFS 1.5.x as me.

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 43 guests