Can i please have your source code, multiplayercoder?
my login is taken care of the LoginBox control. in LoginPanel.mxml. (It's a Flash project). How do I access the password? Do I need the smartfox bits source code?
<sfb:LoginBox autoHide="false" buttonText="Login" formLayout="side-top" passwordLabelText="Password:"
restrict="^<>" showPassword="true" usernameLabelText="Username: " focusEnabled="true"/>
SmartFox, password and encoding
Re: SmartFox, password and encoding
MultiplayerCoder wrote:I'd like to comment that in my app, I got around the clear-text passwords in the DB by hashing the passwords before putting them in the DB, and also hashing the passwords client-side (before being sent over the wire to SFS). It complicates matters slightly, but I cringe at cleartext password DB's
rjgtav has a tutorial on how to do a custom login in flash here, but I'm already using the bits. Did you grab the password from the bits or you implemented your own login?
http://sfs-tutor.blogspot.com/2011/01/s ... login.html
Re: SmartFox, password and encoding
Thanks, that's a good way of solving the problem
Re: SmartFox, password and encoding
I get the idea behind it, but I don't know how to put it in practice in Java&AS3. I'm not looking for someone to do it for me, but a little sample code wouldn't hurt
Re: SmartFox, password and encoding
Let's forget about the database and try something else...
I'll have my users login through wordpress. Can I grab the wordpress cookie and authenticate the user, or is the only way I can authenticate the user through a direct database connection?
If I can authenticate the user by grabbing the username from the wordpress cookie, how do I bypass the Login screen and go right in the game lobby with that username authenticated?
I'll have my users login through wordpress. Can I grab the wordpress cookie and authenticate the user, or is the only way I can authenticate the user through a direct database connection?
If I can authenticate the user by grabbing the username from the wordpress cookie, how do I bypass the Login screen and go right in the game lobby with that username authenticated?
Re: SmartFox, password and encoding
Hello,
Using cookies isn't much secure, as a malicious client could simply use a hand-made cookie to SFS, tricking the extension.
Can you get access to the method used on the encryption of the passwords by Wordpress? If you could, then you would simply need to mimic that on the client-side and the login would work fine.
Thanks
Using cookies isn't much secure, as a malicious client could simply use a hand-made cookie to SFS, tricking the extension.
Can you get access to the method used on the encryption of the passwords by Wordpress? If you could, then you would simply need to mimic that on the client-side and the login would work fine.
Thanks
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
Re: SmartFox, password and encoding
Yes, but i don't know how. Did no one really do what I'm trying to do before (use the wordpress login, or another encrypted login with sfs2x?) does everyone really store their passwords in plain text like sfs2x is configured to use out of the box, as shown in the database recipe example?
Re: SmartFox, password and encoding
rjgtav wrote:Hello,
Using cookies isn't much secure, as a malicious client could simply use a hand-made cookie to SFS, tricking the extension.
Can you get access to the method used on the encryption of the passwords by Wordpress? If you could, then you would simply need to mimic that on the client-side and the login would work fine.
Thanks
www.cedricve.me/2011/07/18/how-to-make- ... passwords/
This right here is exactly what i need to do, but in the tris as3 example, client side or server side?
Re: SmartFox, password and encoding
I believe i can't do that client side since i don't have the source code for the login box(sfs bits takes care of that) - can someone confirm this is true?
Now, on the server, what do i need to do?how do i access that php encryption function in Java?
Now, on the server, what do i need to do?how do i access that php encryption function in Java?
Re: SmartFox, password and encoding
Hello,
Please check the Official SmartFoxBits 2X documentation at http://bits.smartfoxserver.com/docs/as3 ... FS2X/html/, specially the LoginBox section.
On the Usage section (before the summary), you can find that you can override the default behaviour of the LoginBox by listening to the BitEvent.LOGIN_CLICK.
Please note that by listening to that event the LoginBox will not send automatically the LoginRequest, so you'll have to manually do smartfox.send(new LoginRequest(user, pass,...))
Cheers
Please check the Official SmartFoxBits 2X documentation at http://bits.smartfoxserver.com/docs/as3 ... FS2X/html/, specially the LoginBox section.
On the Usage section (before the summary), you can find that you can override the default behaviour of the LoginBox by listening to the BitEvent.LOGIN_CLICK.
Please note that by listening to that event the LoginBox will not send automatically the LoginRequest, so you'll have to manually do smartfox.send(new LoginRequest(user, pass,...))
Cheers
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
Re: SmartFox, password and encoding
rjgtav wrote:Hello,
Please check the Official SmartFoxBits 2X documentation at http://bits.smartfoxserver.com/docs/as3 ... FS2X/html/, specially the LoginBox section.
On the Usage section (before the summary), you can find that you can override the default behaviour of the LoginBox by listening to the BitEvent.LOGIN_CLICK.
Please note that by listening to that event the LoginBox will not send automatically the LoginRequest, so you'll have to manually do smartfox.send(new LoginRequest(user, pass,...))
Cheers
Thank you! So I SHOULD do it client side then. So I should grab the plain-text password of the user through the LoginBox (is that the passwordTextInput field?), apply the same function that Wordpress applies to the password, then send it over to the Wordpress Login page. Then read the response from Wordpress in AS3, and authenticate or raise an error according to that.
But isn't this vulnerable to hacks since the authentication happens on the client?
Correct me if any of my assumptions are wrong.
I really appreciate your help!
Re: SmartFox, password and encoding
Yes, it is the passwordTextInput property.
Can't you configure SFS2X to connect to wordpress' database? That way you wouldn't need to access the login page, the extension could have direct access to it and execute the necessary query.
Basically you just need to hash the password with the same technology used on the database on the client. This doesn't compromise the security as even by knowing the technology used for the password protection, the hacker would have to bruteforce in order to find the user password, as the encryption is one-way only, so after it is encrypted there's no way back.
Can't you configure SFS2X to connect to wordpress' database? That way you wouldn't need to access the login page, the extension could have direct access to it and execute the necessary query.
Basically you just need to hash the password with the same technology used on the database on the client. This doesn't compromise the security as even by knowing the technology used for the password protection, the hacker would have to bruteforce in order to find the user password, as the encryption is one-way only, so after it is encrypted there's no way back.
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
Re: SmartFox, password and encoding
rjgtav wrote:Can't you configure SFS2X to connect to wordpress' database? That way you wouldn't need to access the login page, the extension could have direct access to it and execute the necessary query.
I did initially configure it to connect to the wordpress database, and I used the database recipe example (http://docs2x.smartfoxserver.com/Develo ... se-recipes ) to authenticate. But that example is configured to work with a password stored in plain text, right?
Here's my understanding, correct me if I'm wrong:
- the password entered by the user on the client side (let's call it clearTextPwd), sfs2x encrypts with the md5 algorithm and sends to the server-side extension (cryptedPass)
- on the server, that password is compared with the wordpress-encrypted password (dbPword) in the following line:
getApi().checkSecurePassword(session, dbPword, cryptedPass);
the problem is dbPword is not clear text; it's encrypted by the wordpress algorithm. That's why I'd like to encrypt the clearTextPwd on the client side with the Wordpress algorithm, send it to the extension, and on the extension, after it goes through the checkSecurePassword() method, dbPword should be equal to the clearTextPwd encrypted with the Wordpress algorithm.
Am I complicating myself, or are you seeing a faster/better way to do it?
Re: SmartFox, password and encoding
- the password entered by the user on the client side (let's call it clearTextPwd), sfs2x encrypts with the md5 algorithm and sends to the server-side extension (cryptedPass)
- on the server, that password is compared with the wordpress-encrypted password (dbPword) in the following line:
No there's one element that is missing:
a unique session hash is added to the password which is then encrypted in MD5.
As someone suggest here before, all you need to do is encoding the client password with the same hashing algorithm that Wordpess uses on the server side, which presumably is MD5.
Re: SmartFox, password and encoding
In order to grab the login password, do I have to create my own loginBox at runtime, or can I use the one already provided in the Tris example? I couldn't see a way to get the password from the one already provided.
I tried creating my own but nothing happens when I click the "Login" button. This is my init() function of Tris.as :
private function init():void
{
sfs = loginPanel.connector.connection;
sfs.addEventListener(SFSEvent.LOGIN, onLogin)
sfs.addEventListener(SFSEvent.LOGIN_ERROR,onLoginError);
sfs.addEventListener(SFSEvent.CONNECTION_LOST, onConnectionLost);
sfs.addEventListener(SFSEvent.ROOM_CREATION_ERROR, onRoomCreationError);
sfs.addEventListener(SFSEvent.ROOM_JOIN, onRoomJoin);
sfs.addEventListener(SFSEvent.ROOM_JOIN_ERROR, onRoomJoinError);
sfs.addEventListener(BitEvent.ROOM_CHANGE, onRoomChange);
var loginBox:LoginBox = new LoginBox();
loginBox.zone = "BasicExamples";
loginBox.id="login";
loginBox.showPassword=true;
loginPanel.addChild(loginBox);
loginBox.addEventListener(BitEvent.LOGIN_CLICK, onLoginClick);
// Create game creation panel instance
createGamePanel = new CreateGamePanel();
createGamePanel.addEventListener(CloseEvent.CLOSE, onCreatePopUpClosed);
createGamePanel.initialize();
}
public function onLoginError(e:SFSEvent):void{
Alert.show("error", e.params.errorMessage, Alert.OK, null, null);
}
public function onLoginClick():void{
sfs.send(new LoginRequest("tt","tt","BasicExamples",null));
}
I tried creating my own but nothing happens when I click the "Login" button. This is my init() function of Tris.as :
private function init():void
{
sfs = loginPanel.connector.connection;
sfs.addEventListener(SFSEvent.LOGIN, onLogin)
sfs.addEventListener(SFSEvent.LOGIN_ERROR,onLoginError);
sfs.addEventListener(SFSEvent.CONNECTION_LOST, onConnectionLost);
sfs.addEventListener(SFSEvent.ROOM_CREATION_ERROR, onRoomCreationError);
sfs.addEventListener(SFSEvent.ROOM_JOIN, onRoomJoin);
sfs.addEventListener(SFSEvent.ROOM_JOIN_ERROR, onRoomJoinError);
sfs.addEventListener(BitEvent.ROOM_CHANGE, onRoomChange);
var loginBox:LoginBox = new LoginBox();
loginBox.zone = "BasicExamples";
loginBox.id="login";
loginBox.showPassword=true;
loginPanel.addChild(loginBox);
loginBox.addEventListener(BitEvent.LOGIN_CLICK, onLoginClick);
// Create game creation panel instance
createGamePanel = new CreateGamePanel();
createGamePanel.addEventListener(CloseEvent.CLOSE, onCreatePopUpClosed);
createGamePanel.initialize();
}
public function onLoginError(e:SFSEvent):void{
Alert.show("error", e.params.errorMessage, Alert.OK, null, null);
}
public function onLoginClick():void{
sfs.send(new LoginRequest("tt","tt","BasicExamples",null));
}
Who is online
Users browsing this forum: No registered users and 71 guests