secure custom login

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

arutj
Posts: 19
Joined: 29 Jan 2008, 13:50

secure custom login

Postby arutj » 24 Sep 2008, 11:50

Hi everyone,

Is it possible to implement a secure login (CHAP) AND check user/pass against a database, without modifying the login method in SmartfoxClient?

As far as I understand it I am supposed to use the default loginRequest event, and not sendXtMessage to login?

Cheers and TIA
aj

PS: PWs are stored md5-encrypted in the db... guess that could be changed, would solve the problem. Not very nice, though...
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 25 Sep 2008, 20:33

I don't understand your question. The SecureLogin example provided with the server does exactly that. It shows how to build a secure login where the credentials are verified on an external data source... database, file etc...
Lapo
--
gotoAndPlay()
...addicted to flash games
User avatar
thecreatrix
Posts: 19
Joined: 20 Aug 2008, 02:32
Contact:

Postby thecreatrix » 25 Sep 2008, 21:37

That last part made me wonder... if you store passwords as MD5's in the database (generally a good practice, right?), doesn't that mean you can't use the method from the login tutorial? Since the database password would be an MD5 string, it wouldn't match what the user types in... which means the generated MD5 using the random key during login would never match.

Do lots of people store user passwords unencrypted in their databases? Isn't that a security hole if, say, the database itself was compromised?

I'm kinda a newbie on this part of things, so please forgive my vast ignorance!!! :)
arutj
Posts: 19
Joined: 29 Jan 2008, 13:50

Postby arutj » 26 Sep 2008, 06:05

My mistake. I though the pw was sent unencrypted and used for the handshake. Really it is the login, so I can store the encrypted pw in the db. What I found to be a problem, though, is that the key may contain characters that will break your sql query, such as slashes and quotes. So it is a good idea to escape it both on the client and server side, right?

Cheers,
aj
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 26 Sep 2008, 09:01

the key may contain characters that will break your sql query, such as slashes and quotes.

You mean the secret key? You don't have to use that in your SQL code.
From the user name you lookup the password in the DB, then add password and secret key and make and MD5 hash.

The same does the client and you can finally check if they match. Have you read the article I've mentioned?
Lapo

--

gotoAndPlay()

...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 26 Sep 2008, 09:04

Do lots of people store user passwords unencrypted in their databases? Isn't that a security hole if, say, the database itself was compromised?


I don't think it's a really good practice. If you have a system for sending password back to the clients (the typical "password lost" service) you won't be able to use MD5.

Protecting data in your database is not just about using a simple hash for passwords, it requires a good configuration of the database server, setting up permissions in a secure way etc...
Lapo

--

gotoAndPlay()

...addicted to flash games
fyx
Posts: 4
Joined: 06 Nov 2008, 07:00
Location: France

Postby fyx » 17 Nov 2008, 07:39

Hi

I'm currently developping a MMO in Flash and I've some question about the secure login process.

I see in the example what there is a MD5 file, in the client side. A "bad" user can use it to break passwords? Or this file is unusable without the secret key coming from the serveur?

The second thing is about the user registration, if I make a website which present my game and allows user to create a account. How can I use the md5 file to encrypt the password and put it my DB ? Can I receive the secret key from the server from a php file?

The aim of the encryption was to send the password of our user trough the network in a secure way, isnt-it?

So if I decompose to method in various step it's like:

    Client Side:
      - user tapping his login and password
      - I get the secret key from the server (with the getRandomKey method)
      - I use the MD5 file to encrypt the password
      - I try to log my user

    Server Side
      - I catch the user login and password with an extension
      - I make a sql query to get the password
      - I compare my encrypt DB password with the encrypt password received from the client
      - I send the command response (logOk or LogKo)


That's rigth?

And about the store password, it's better to store it encrypt or uncrypt ?

Thanks
Fyx (Beginner)
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 19 Nov 2008, 06:33

A "bad" user can use it to break passwords? Or this file is unusable without the secret key coming from the serveur?

Nope can't be broken with that file. The system provides a good level of security
Lapo

--

gotoAndPlay()

...addicted to flash games

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 34 guests