Hi everyone,
Is it possible to implement a secure login (CHAP) AND check user/pass against a database, without modifying the login method in SmartfoxClient?
As far as I understand it I am supposed to use the default loginRequest event, and not sendXtMessage to login?
Cheers and TIA
aj
PS: PWs are stored md5-encrypted in the db... guess that could be changed, would solve the problem. Not very nice, though...
secure custom login
- thecreatrix
- Posts: 19
- Joined: 20 Aug 2008, 02:32
- Contact:
That last part made me wonder... if you store passwords as MD5's in the database (generally a good practice, right?), doesn't that mean you can't use the method from the login tutorial? Since the database password would be an MD5 string, it wouldn't match what the user types in... which means the generated MD5 using the random key during login would never match.
Do lots of people store user passwords unencrypted in their databases? Isn't that a security hole if, say, the database itself was compromised?
I'm kinda a newbie on this part of things, so please forgive my vast ignorance!!!
Do lots of people store user passwords unencrypted in their databases? Isn't that a security hole if, say, the database itself was compromised?
I'm kinda a newbie on this part of things, so please forgive my vast ignorance!!!
My mistake. I though the pw was sent unencrypted and used for the handshake. Really it is the login, so I can store the encrypted pw in the db. What I found to be a problem, though, is that the key may contain characters that will break your sql query, such as slashes and quotes. So it is a good idea to escape it both on the client and server side, right?
Cheers,
aj
Cheers,
aj
the key may contain characters that will break your sql query, such as slashes and quotes.
You mean the secret key? You don't have to use that in your SQL code.
From the user name you lookup the password in the DB, then add password and secret key and make and MD5 hash.
The same does the client and you can finally check if they match. Have you read the article I've mentioned?
Do lots of people store user passwords unencrypted in their databases? Isn't that a security hole if, say, the database itself was compromised?
I don't think it's a really good practice. If you have a system for sending password back to the clients (the typical "password lost" service) you won't be able to use MD5.
Protecting data in your database is not just about using a simple hash for passwords, it requires a good configuration of the database server, setting up permissions in a secure way etc...
Hi
I'm currently developping a MMO in Flash and I've some question about the secure login process.
I see in the example what there is a MD5 file, in the client side. A "bad" user can use it to break passwords? Or this file is unusable without the secret key coming from the serveur?
The second thing is about the user registration, if I make a website which present my game and allows user to create a account. How can I use the md5 file to encrypt the password and put it my DB ? Can I receive the secret key from the server from a php file?
The aim of the encryption was to send the password of our user trough the network in a secure way, isnt-it?
So if I decompose to method in various step it's like:
That's rigth?
And about the store password, it's better to store it encrypt or uncrypt ?
Thanks
Fyx (Beginner)
I'm currently developping a MMO in Flash and I've some question about the secure login process.
I see in the example what there is a MD5 file, in the client side. A "bad" user can use it to break passwords? Or this file is unusable without the secret key coming from the serveur?
The second thing is about the user registration, if I make a website which present my game and allows user to create a account. How can I use the md5 file to encrypt the password and put it my DB ? Can I receive the secret key from the server from a php file?
The aim of the encryption was to send the password of our user trough the network in a secure way, isnt-it?
So if I decompose to method in various step it's like:
- Client Side:
- - user tapping his login and password
- I get the secret key from the server (with the getRandomKey method)
- I use the MD5 file to encrypt the password
- I try to log my user
Server Side
- - I catch the user login and password with an extension
- I make a sql query to get the password
- I compare my encrypt DB password with the encrypt password received from the client
- I send the command response (logOk or LogKo)
That's rigth?
And about the store password, it's better to store it encrypt or uncrypt ?
Thanks
Fyx (Beginner)
Return to “SmartFoxServer 1.x Discussions and Help”
Who is online
Users browsing this forum: No registered users and 34 guests