Securing SF2 and best practices

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

User avatar
Posts: 71
Joined: 27 Jun 2011, 16:03

Securing SF2 and best practices

Postby levancho » 30 Aug 2011, 15:48


We are dealing with a game that requires user to deposite money from their CC or bank account. and further us it in a game, so user balance has to become a part of the game- user state.

now all none SF2 related tasks are taken care of proper way,like deposit, etc .. which go through secured blazeds chanells.
but I would like to ask any suggestions or links to ways to secure SF2 server,gameplay and also ways to avoid situations where "hackers" trying to act as another user and access their balance etc ... and what measures work and dont work, in securing smartfox server and its games?
kind of like best practices

Kind Regards
User avatar
Posts: 2813
Joined: 19 Apr 2009, 11:31
Location: Lisbon, Portugal

Postby rjgtav » 30 Aug 2011, 16:05

Hi. I'm not a security expert, but I can give you some suggestions:

1. Send the minimal information to the client - What I mean is that you may not send some important information (for example database information) such as user ID, the bank account, etc. so you can send just the name and the amount of money the user has.

To still access these data from the server, you can use the User.setProperty and getProperty methods, as these are custom data that you can store in the user Object and that are NEVER send to the client.

2. Add some methods to your extensions to monitor users behavior and ban/kick the suspects of hacking/cheating the game.

3. Can't remember of more :-P
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
SFS Tutorials: - Discontinued. Some examples may be bugged.
Posts: 191
Joined: 11 Dec 2010, 14:14

Postby tchen » 31 Aug 2011, 18:28


1. Unfortunately, checkSecurePassword is not the best way to authenticate as it requires plain-text storage on the server. I would say best practice is to use a separate authentication server with a secure transport like HTTPS; using a hashed password check, get a one-time use token tied to the requesting IP, and use that token when authenticating with the SFS2X server.

2. Reiterating rjgtav’s log log log log… and log some more.

3. On the server side of things, be sure to use iptables. Lock out almost everything but the SFS2X ports.

Return to “SFS2X Questions”

Who is online

Users browsing this forum: No registered users and 23 guests