Is it possible to save a variable in the server that is only visible to the user who created it (sorta like a session on ASP)?
Like this:
User access a server extension and check their credentials using a database (select id from table where user=username and pass=password)
Later on user tries to access the server extension again to gather information of some sort, but this time I don't want to verify his credentials again. Instead I want to access the database using their already saved id located on the server (without actually sending the ID using sendXtMessage)
(select games from table where id=<saved id>)
Reason:
Every once in a while a hacker uses several techniques to exploit my game.
Since swf are open sources, a hacker can just decompile the game to catch or manipulate variables and functions. Even after encryption the hacker can still scan for any variable or function that is running and eventually find key functions/variables to access key elements on the database.
By having saved "sessions", I won't need to send Ids witch can easily be manipulated by the client.
Alternative solution:
I know, I can just send the username and password rather then ID to verify their credentials every time they access an extension, but I was wondering if there is a better way so I don't have to make this massive access every time.
Quick noob question about extensions
- mistermind
- Posts: 131
- Joined: 15 Sep 2007, 01:33
- Contact:
Quick noob question about extensions
SELECT * FROM users WHERE clue > 0
0 rows returned.
0 rows returned.
Try this:
Store a object in the serverside that is represented by SFS user's id. And save your database id here.
i.e. uVars["SmartFox user Id"].databaseId = saved Id,
where Smartfox user id is from user.getUserId() - I don't think the hacker can modify the smartfox's user id.
so, just send a blank sendXtMessage and let the server do the rest.
Store a object in the serverside that is represented by SFS user's id. And save your database id here.
i.e. uVars["SmartFox user Id"].databaseId = saved Id,
where Smartfox user id is from user.getUserId() - I don't think the hacker can modify the smartfox's user id.
so, just send a blank sendXtMessage and let the server do the rest.
Smartfox's forum is my daily newspaper.
- mistermind
- Posts: 131
- Joined: 15 Sep 2007, 01:33
- Contact:
Interesting. Thanks BigFish
But I got another question:
from the server I can actually access any variable from a certain user just by using his myUserId?
For example:
From the extension I can just use
"select username from table where id="+ uVars[smartfox.myUserId].databaseId
Will that work? Will the extension knows who is accessing it?
Or will I need at somepoint to need his smartfox.myUserId?
But I got another question:
from the server I can actually access any variable from a certain user just by using his myUserId?
For example:
From the extension I can just use
"select username from table where id="+ uVars[smartfox.myUserId].databaseId
Will that work? Will the extension knows who is accessing it?
Or will I need at somepoint to need his smartfox.myUserId?
SELECT * FROM users WHERE clue > 0
0 rows returned.
0 rows returned.
Hrm, perhaps you are a little confused.
The uVars is a custom made object in the server side's extension (like "users" which holds all the users objects by its sfs id) - so, var uVars = {} should do.
When any client tries to communicate with the server, the extension will automatically recognize who is trying to communicate the server by his/her own unique socket channel.
For instance, handleRequest(cmd, params, user, fromRoom, protocol) - the "user" parameter is automatically generated by the server, so thus you can access his/her sfs id by user.getUserId() and use this id to access the database id by uVars. The client doesn't create nor modify the "user" paramater (I think..)
also, this can work upon "userLost" or "userExit" - usually they will give you a user id to work with i.e. evt["userId"]; then access your custom made "uVars" by this id
The uVars is a custom made object in the server side's extension (like "users" which holds all the users objects by its sfs id) - so, var uVars = {} should do.
When any client tries to communicate with the server, the extension will automatically recognize who is trying to communicate the server by his/her own unique socket channel.
For instance, handleRequest(cmd, params, user, fromRoom, protocol) - the "user" parameter is automatically generated by the server, so thus you can access his/her sfs id by user.getUserId() and use this id to access the database id by uVars. The client doesn't create nor modify the "user" paramater (I think..)
also, this can work upon "userLost" or "userExit" - usually they will give you a user id to work with i.e. evt["userId"]; then access your custom made "uVars" by this id
Smartfox's forum is my daily newspaper.
- mistermind
- Posts: 131
- Joined: 15 Sep 2007, 01:33
- Contact:
- mistermind
- Posts: 131
- Joined: 15 Sep 2007, 01:33
- Contact:
Hi there Bigfish I'm having a little problem with the sinax of my extension code.
When I do this:
trace("SFSuserID: "+ user.getUserId());
trace("Username: "+ user.getName());
var userVars:Object = user.getVariables();
trace("idUser: "+ userVars.idUser);
I get the user id and name just fine, but when it gets to the third line I get an error telling me ";" is missing, which doesn't make much sence from my point of view.
And when I try a different sinax:
var userVars = [];
userVars = user.getVariables();
trace("idUser: "+ userVars.idUser);
I get an undefined value.
Can you tell me what I'm doing wrong?
When I do this:
trace("SFSuserID: "+ user.getUserId());
trace("Username: "+ user.getName());
var userVars:Object = user.getVariables();
trace("idUser: "+ userVars.idUser);
I get the user id and name just fine, but when it gets to the third line I get an error telling me ";" is missing, which doesn't make much sence from my point of view.
And when I try a different sinax:
var userVars = [];
userVars = user.getVariables();
trace("idUser: "+ userVars.idUser);
I get an undefined value.
Can you tell me what I'm doing wrong?
SELECT * FROM users WHERE clue > 0
0 rows returned.
0 rows returned.
mistermind wrote:Hi there Bigfish I'm having a little problem with the sinax of my extension code.
When I do this:
trace("SFSuserID: "+ user.getUserId());
trace("Username: "+ user.getName());
var userVars:Object = user.getVariables();
trace("idUser: "+ userVars.idUser);
I get the user id and name just fine, but when it gets to the third line I get an error telling me ";" is missing, which doesn't make much sence from my point of view.
And when I try a different sinax:
var userVars = [];
userVars = user.getVariables();
trace("idUser: "+ userVars.idUser);
I get an undefined value.
Can you tell me what I'm doing wrong?
someone correct me if I'm wrong, but using user.getVariables() for the userid is not hacker safe because they can change the variables client-side.
- mistermind
- Posts: 131
- Joined: 15 Sep 2007, 01:33
- Contact:
jamieyg3 wrote:someone correct me if I'm wrong, but using user.getVariables() for the userid is not hacker safe because they can change the variables client-side.
Yep you are right which is one of the risks I'm taking by using a connection bridge for client login rather then an extension login. The reason for that is to reduce the amount of procedure load on SFS and split it with the server itself. It seems the validating procedure works much faster this way as well. What I did in this case is create the variable and send it to the server as user.setUserVariables as soon as you get a validation from ASP. Problem is, of course, I have a small window of opportunity there for hackers.
See, after much understanding on how to hack a flash game I learned that they can do two things: Variable Scanner and Variable edit. The thing is this process is done manually and it has to be done while the variable exists. Of course, to take this approach the application MUST be encrypted, but like I said, there is a small window of opportunity there. Probably milliseconds.
The best way to handle this is definitely validate and pull the userVariables within the extension rather then let it go to the client first.
SELECT * FROM users WHERE clue > 0
0 rows returned.
0 rows returned.
Return to “SmartFoxServer 1.x Discussions and Help”
Who is online
Users browsing this forum: No registered users and 84 guests