SmartFox, password and encoding

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

User avatar
gg
Posts: 90
Joined: 19 Sep 2010, 21:16
Contact:

Re: SmartFox, password and encoding

Postby gg » 11 Mar 2013, 20:40

Can i please have your source code, multiplayercoder?

my login is taken care of the LoginBox control. in LoginPanel.mxml. (It's a Flash project). How do I access the password? Do I need the smartfox bits source code?

<sfb:LoginBox autoHide="false" buttonText="Login" formLayout="side-top" passwordLabelText="Password:"
restrict="^&lt;&gt;" showPassword="true" usernameLabelText="Username: " focusEnabled="true"/>
User avatar
gg
Posts: 90
Joined: 19 Sep 2010, 21:16
Contact:

Re: SmartFox, password and encoding

Postby gg » 11 Mar 2013, 21:03

MultiplayerCoder wrote:I'd like to comment that in my app, I got around the clear-text passwords in the DB by hashing the passwords before putting them in the DB, and also hashing the passwords client-side (before being sent over the wire to SFS). It complicates matters slightly, but I cringe at cleartext password DB's :P

rjgtav has a tutorial on how to do a custom login in flash here, but I'm already using the bits. Did you grab the password from the bits or you implemented your own login?
http://sfs-tutor.blogspot.com/2011/01/s ... login.html
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFox, password and encoding

Postby Lapo » 12 Mar 2013, 08:28

Thanks, that's a good way of solving the problem :)
Lapo
--
gotoAndPlay()
...addicted to flash games
User avatar
gg
Posts: 90
Joined: 19 Sep 2010, 21:16
Contact:

Re: SmartFox, password and encoding

Postby gg » 12 Mar 2013, 14:02

I get the idea behind it, but I don't know how to put it in practice in Java&AS3. I'm not looking for someone to do it for me, but a little sample code wouldn't hurt
User avatar
gg
Posts: 90
Joined: 19 Sep 2010, 21:16
Contact:

Re: SmartFox, password and encoding

Postby gg » 12 Mar 2013, 16:07

Let's forget about the database and try something else...

I'll have my users login through wordpress. Can I grab the wordpress cookie and authenticate the user, or is the only way I can authenticate the user through a direct database connection?

If I can authenticate the user by grabbing the username from the wordpress cookie, how do I bypass the Login screen and go right in the game lobby with that username authenticated?
User avatar
rjgtav
Posts: 2813
Joined: 19 Apr 2009, 11:31
Location: Lisbon, Portugal

Re: SmartFox, password and encoding

Postby rjgtav » 12 Mar 2013, 16:27

Hello,

Using cookies isn't much secure, as a malicious client could simply use a hand-made cookie to SFS, tricking the extension.
Can you get access to the method used on the encryption of the passwords by Wordpress? If you could, then you would simply need to mimic that on the client-side and the login would work fine.

Thanks
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
User avatar
gg
Posts: 90
Joined: 19 Sep 2010, 21:16
Contact:

Re: SmartFox, password and encoding

Postby gg » 12 Mar 2013, 16:43

Yes, but i don't know how. Did no one really do what I'm trying to do before (use the wordpress login, or another encrypted login with sfs2x?) does everyone really store their passwords in plain text like sfs2x is configured to use out of the box, as shown in the database recipe example?
User avatar
gg
Posts: 90
Joined: 19 Sep 2010, 21:16
Contact:

Re: SmartFox, password and encoding

Postby gg » 12 Mar 2013, 16:54

rjgtav wrote:Hello,

Using cookies isn't much secure, as a malicious client could simply use a hand-made cookie to SFS, tricking the extension.
Can you get access to the method used on the encryption of the passwords by Wordpress? If you could, then you would simply need to mimic that on the client-side and the login would work fine.

Thanks

www.cedricve.me/2011/07/18/how-to-make- ... passwords/
This right here is exactly what i need to do, but in the tris as3 example, client side or server side?
User avatar
gg
Posts: 90
Joined: 19 Sep 2010, 21:16
Contact:

Re: SmartFox, password and encoding

Postby gg » 12 Mar 2013, 17:00

I believe i can't do that client side since i don't have the source code for the login box(sfs bits takes care of that) - can someone confirm this is true?

Now, on the server, what do i need to do?how do i access that php encryption function in Java?
User avatar
rjgtav
Posts: 2813
Joined: 19 Apr 2009, 11:31
Location: Lisbon, Portugal

Re: SmartFox, password and encoding

Postby rjgtav » 12 Mar 2013, 17:47

Hello,

Please check the Official SmartFoxBits 2X documentation at http://bits.smartfoxserver.com/docs/as3 ... FS2X/html/, specially the LoginBox section.

On the Usage section (before the summary), you can find that you can override the default behaviour of the LoginBox by listening to the BitEvent.LOGIN_CLICK.
Please note that by listening to that event the LoginBox will not send automatically the LoginRequest, so you'll have to manually do smartfox.send(new LoginRequest(user, pass,...))

Cheers
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
User avatar
gg
Posts: 90
Joined: 19 Sep 2010, 21:16
Contact:

Re: SmartFox, password and encoding

Postby gg » 12 Mar 2013, 17:57

rjgtav wrote:Hello,

Please check the Official SmartFoxBits 2X documentation at http://bits.smartfoxserver.com/docs/as3 ... FS2X/html/, specially the LoginBox section.

On the Usage section (before the summary), you can find that you can override the default behaviour of the LoginBox by listening to the BitEvent.LOGIN_CLICK.
Please note that by listening to that event the LoginBox will not send automatically the LoginRequest, so you'll have to manually do smartfox.send(new LoginRequest(user, pass,...))

Cheers

Thank you! So I SHOULD do it client side then. So I should grab the plain-text password of the user through the LoginBox (is that the passwordTextInput field?), apply the same function that Wordpress applies to the password, then send it over to the Wordpress Login page. Then read the response from Wordpress in AS3, and authenticate or raise an error according to that.

But isn't this vulnerable to hacks since the authentication happens on the client?

Correct me if any of my assumptions are wrong.
I really appreciate your help!
User avatar
rjgtav
Posts: 2813
Joined: 19 Apr 2009, 11:31
Location: Lisbon, Portugal

Re: SmartFox, password and encoding

Postby rjgtav » 12 Mar 2013, 18:13

Yes, it is the passwordTextInput property.
Can't you configure SFS2X to connect to wordpress' database? That way you wouldn't need to access the login page, the extension could have direct access to it and execute the necessary query.

Basically you just need to hash the password with the same technology used on the database on the client. This doesn't compromise the security as even by knowing the technology used for the password protection, the hacker would have to bruteforce in order to find the user password, as the encryption is one-way only, so after it is encrypted there's no way back.
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
User avatar
gg
Posts: 90
Joined: 19 Sep 2010, 21:16
Contact:

Re: SmartFox, password and encoding

Postby gg » 12 Mar 2013, 18:43

rjgtav wrote:Can't you configure SFS2X to connect to wordpress' database? That way you wouldn't need to access the login page, the extension could have direct access to it and execute the necessary query.

I did initially configure it to connect to the wordpress database, and I used the database recipe example (http://docs2x.smartfoxserver.com/Develo ... se-recipes ) to authenticate. But that example is configured to work with a password stored in plain text, right?

Here's my understanding, correct me if I'm wrong:

- the password entered by the user on the client side (let's call it clearTextPwd), sfs2x encrypts with the md5 algorithm and sends to the server-side extension (cryptedPass)
- on the server, that password is compared with the wordpress-encrypted password (dbPword) in the following line:

getApi().checkSecurePassword(session, dbPword, cryptedPass);

the problem is dbPword is not clear text; it's encrypted by the wordpress algorithm. That's why I'd like to encrypt the clearTextPwd on the client side with the Wordpress algorithm, send it to the extension, and on the extension, after it goes through the checkSecurePassword() method, dbPword should be equal to the clearTextPwd encrypted with the Wordpress algorithm.

Am I complicating myself, or are you seeing a faster/better way to do it?
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SmartFox, password and encoding

Postby Lapo » 14 Mar 2013, 14:00

- the password entered by the user on the client side (let's call it clearTextPwd), sfs2x encrypts with the md5 algorithm and sends to the server-side extension (cryptedPass)
- on the server, that password is compared with the wordpress-encrypted password (dbPword) in the following line:

No there's one element that is missing:
a unique session hash is added to the password which is then encrypted in MD5.

As someone suggest here before, all you need to do is encoding the client password with the same hashing algorithm that Wordpess uses on the server side, which presumably is MD5.
Lapo

--

gotoAndPlay()

...addicted to flash games
User avatar
gg
Posts: 90
Joined: 19 Sep 2010, 21:16
Contact:

Re: SmartFox, password and encoding

Postby gg » 17 Mar 2013, 08:09

In order to grab the login password, do I have to create my own loginBox at runtime, or can I use the one already provided in the Tris example? I couldn't see a way to get the password from the one already provided.
I tried creating my own but nothing happens when I click the "Login" button. This is my init() function of Tris.as :
private function init():void
{

sfs = loginPanel.connector.connection;
sfs.addEventListener(SFSEvent.LOGIN, onLogin)
sfs.addEventListener(SFSEvent.LOGIN_ERROR,onLoginError);
sfs.addEventListener(SFSEvent.CONNECTION_LOST, onConnectionLost);
sfs.addEventListener(SFSEvent.ROOM_CREATION_ERROR, onRoomCreationError);
sfs.addEventListener(SFSEvent.ROOM_JOIN, onRoomJoin);
sfs.addEventListener(SFSEvent.ROOM_JOIN_ERROR, onRoomJoinError);
sfs.addEventListener(BitEvent.ROOM_CHANGE, onRoomChange);

var loginBox:LoginBox = new LoginBox();
loginBox.zone = "BasicExamples";
loginBox.id="login";
loginBox.showPassword=true;
loginPanel.addChild(loginBox);

loginBox.addEventListener(BitEvent.LOGIN_CLICK, onLoginClick);

// Create game creation panel instance
createGamePanel = new CreateGamePanel();
createGamePanel.addEventListener(CloseEvent.CLOSE, onCreatePopUpClosed);
createGamePanel.initialize();
}

public function onLoginError(e:SFSEvent):void{
Alert.show("error", e.params.errorMessage, Alert.OK, null, null);
}
public function onLoginClick():void{
sfs.send(new LoginRequest("tt","tt","BasicExamples",null));
}

Return to “SFS2X Questions”

Who is online

Users browsing this forum: No registered users and 71 guests