Injecting data from server side in extensionrequest

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

coolaneasy
Posts: 36
Joined: 26 Sep 2013, 18:26

Injecting data from server side in extensionrequest

Postby coolaneasy » 14 Nov 2013, 01:24

Hello
We are using ExtensionRequest for our client-server communication.
Now for some security related stuff I would like to inject the playerid from the server side instead of sending it as a parameter from the client side(as this could be easily sniffed)
I'm thinking if I can do something to achieve this through smartfox like a map of ip address to playerid in smartfox or something.
This is really urgent. Help appreciated.
Thanks
User avatar
rjgtav
Posts: 2813
Joined: 19 Apr 2009, 11:31
Location: Lisbon, Portugal

Re: Injecting data from server side in extensionrequest

Postby rjgtav » 14 Nov 2013, 02:09

Hello,

The User object is already unique to each player, and each User object has an unique ID. Is it enough for your purposes?

If it is, for example, a database id, you can store it on the server-side only, through the .getProperty() and .setProperty() methods of the User object.
More information at the Java Server API Documentation: http://docs2x.smartfoxserver.com/api-do ... oc/server/

Cheers
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
coolaneasy
Posts: 36
Joined: 26 Sep 2013, 18:26

Re: Injecting data from server side in extensionrequest

Postby coolaneasy » 14 Nov 2013, 02:44

Well the thing is, our server is entirely in C#. We do have a java extension that does some stuff and I'm not currently sure how information is passed from c# to java and hence I'm also not sure if the reverse is true.
Does this User object have an id? Perhaps if I can figure out how to pass data from java to c# then I can maintain a map of user id to myplayerid and that would suffice.
Thanks
coolaneasy
Posts: 36
Joined: 26 Sep 2013, 18:26

Re: Injecting data from server side in extensionrequest

Postby coolaneasy » 14 Nov 2013, 02:57

Basically if I can figure out how to access the User object for the request that is sent from the client to my server then I'm good to go.
User avatar
rjgtav
Posts: 2813
Joined: 19 Apr 2009, 11:31
Location: Lisbon, Portugal

Re: Injecting data from server side in extensionrequest

Postby rjgtav » 14 Nov 2013, 03:09

Hmmm I'm sorry, but... SmartFoxServer uses Java on the server-side.. You're using SmartFoxServer, right?
The main Data Structures are mostly the same on both the server-side and the client. Which means, in this specific case, both the User Object on the cliand and on the server have an id property, which has the same value on both sides.
They may or may not be useful for your case scenario, if you can provide more details about the project, we can help you further :)

You can read more at the official documentation, specially the Java Server-side API Documentation and the C# Client API:
http://docs2x.smartfoxserver.com/api-do ... doc/server
http://docs2x.smartfoxserver.com/api-do ... Index.html

Cheers
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
User avatar
rjgtav
Posts: 2813
Joined: 19 Apr 2009, 11:31
Location: Lisbon, Portugal

Re: Injecting data from server side in extensionrequest

Postby rjgtav » 14 Nov 2013, 03:13

coolaneasy wrote:Basically if I can figure out how to access the User object for the request that is sent from the client to my server then I'm good to go.

Everything is on the documentation :D
You can find a reference to the User object which sent the request on the handleClientRequest(user, params) method of your client request handler class.
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
coolaneasy
Posts: 36
Joined: 26 Sep 2013, 18:26

Re: Injecting data from server side in extensionrequest

Postby coolaneasy » 14 Nov 2013, 03:28

Hey actually User object might be unique to each player but is it safe??
Is it something that goes from client to smartfox or does smartfox have a mapping of ip address to User object??
Thanks
User avatar
Lapo
Site Admin
Posts: 21690
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Injecting data from server side in extensionrequest

Postby Lapo » 14 Nov 2013, 07:50

@coolaneasy:
Your question is not entirely clear to me. In particular what do you think it's not secure about the User ID?
It sounds like you are making assumptions that might not be correct.

Clients on the server side are not identified via their Id, so no one can "spoof" an identity by playing with user ids...

Thanks

p.s. = we also have a very detailed white paper on security here:
http://docs2x.smartfoxserver.com/Overview/white-papers
Lapo
--
gotoAndPlay()
...addicted to flash games
coolaneasy
Posts: 36
Joined: 26 Sep 2013, 18:26

Re: Injecting data from server side in extensionrequest

Postby coolaneasy » 14 Nov 2013, 18:45

Okay let me try and explain better.
Currently we identify the unique player based on playerid which is sent as data in the ExtensionRequest command sent from client.
Obviously this is prone to snooping and hacking.
Now if smartfox was doing something similar and userid was sent from the client as well then that beats the whole point.
However if smartfox was keeping track of what ip the request came from and mapped that ip to its User object then yes that would work completely fine for me.
Is that a lil better explanation??
Thanks
coolaneasy
Posts: 36
Joined: 26 Sep 2013, 18:26

Re: Injecting data from server side in extensionrequest

Postby coolaneasy » 14 Nov 2013, 21:28

So I also went through the security whitepaper and I was talking about extension level security and Input validation....
Now my question is it possible for client A(while using his own account) to make changes to his request so that smartfox thinks the request is from another account. This is the security issue I'm trying to address.
1. How does smartfox determine what user is sending the request?
2. How is it safe from a client modifying static data such as userid and ip address that the request is coming from.
I did read about how it does not use http cookies which makes it more secure but not sure how and how it prevents a connected logged in user from making modifications to his request to make it seem like its coming from some other source and hence fool server in doing something that is not necessarily legit. One can argue that oh the server will send data the forged ip and hence the client A may never receive response but there still could be a problem if the server actually does some logic for client B cause of the forged request from A which is wrong.
I hope thats some better explanation.
Thanks
User avatar
Lapo
Site Admin
Posts: 21690
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Injecting data from server side in extensionrequest

Postby Lapo » 15 Nov 2013, 09:49

coolaneasy wrote:However if smartfox was keeping track of what ip the request came from and mapped that ip to its User object then yes that would work completely fine for me.
Is that a lil better explanation??

Yes, that's how it works. The server recognizes users from their connection, not even the IP, it's more than that because behind an IP there can be dozens of users, at times.

So I also went through the security whitepaper and I was talking about extension level security and Input validation....
Now my question is it possible for client A(while using his own account) to make changes to his request so that smartfox thinks the request is from another account. This is the security issue I'm trying to address.

No, it is not possible.

2. How is it safe from a client modifying static data such as userid and ip address that the request is coming from.

A User can't do that.
1) Client requests don't contain any user id, because as I said it's not necessary to identify the requester. The physical TCP connection is the ID
2) You can't mess with the IP address while your connection is active.

I did read about how it does not use http cookies which makes it more secure but not sure how and how it prevents a connected logged in user from making modifications to his request to make it seem like its coming from some other source and hence fool server in doing something that is not necessarily legit. One can argue that oh the server will send data the forged ip and hence the client A may never receive response but there still could be a problem if the server actually does some logic for client B cause of the forged request from A which is wrong.

None of this applies to SmartFoxServer, because there's no HTTP involved here. Just raw sockets which require a persistent connection.
Lapo

--

gotoAndPlay()

...addicted to flash games
coolaneasy
Posts: 36
Joined: 26 Sep 2013, 18:26

Re: Injecting data from server side in extensionrequest

Postby coolaneasy » 15 Nov 2013, 19:24

Awesome. Thanks

Return to “SFS2X Questions”

Who is online

Users browsing this forum: Google [Bot] and 43 guests