Hello
We are using ExtensionRequest for our client-server communication.
Now for some security related stuff I would like to inject the playerid from the server side instead of sending it as a parameter from the client side(as this could be easily sniffed)
I'm thinking if I can do something to achieve this through smartfox like a map of ip address to playerid in smartfox or something.
This is really urgent. Help appreciated.
Thanks
Injecting data from server side in extensionrequest
-
- Posts: 36
- Joined: 26 Sep 2013, 18:26
Re: Injecting data from server side in extensionrequest
Hello,
The User object is already unique to each player, and each User object has an unique ID. Is it enough for your purposes?
If it is, for example, a database id, you can store it on the server-side only, through the .getProperty() and .setProperty() methods of the User object.
More information at the Java Server API Documentation: http://docs2x.smartfoxserver.com/api-do ... oc/server/
Cheers
The User object is already unique to each player, and each User object has an unique ID. Is it enough for your purposes?
If it is, for example, a database id, you can store it on the server-side only, through the .getProperty() and .setProperty() methods of the User object.
More information at the Java Server API Documentation: http://docs2x.smartfoxserver.com/api-do ... oc/server/
Cheers
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
-
- Posts: 36
- Joined: 26 Sep 2013, 18:26
Re: Injecting data from server side in extensionrequest
Well the thing is, our server is entirely in C#. We do have a java extension that does some stuff and I'm not currently sure how information is passed from c# to java and hence I'm also not sure if the reverse is true.
Does this User object have an id? Perhaps if I can figure out how to pass data from java to c# then I can maintain a map of user id to myplayerid and that would suffice.
Thanks
Does this User object have an id? Perhaps if I can figure out how to pass data from java to c# then I can maintain a map of user id to myplayerid and that would suffice.
Thanks
-
- Posts: 36
- Joined: 26 Sep 2013, 18:26
Re: Injecting data from server side in extensionrequest
Basically if I can figure out how to access the User object for the request that is sent from the client to my server then I'm good to go.
Re: Injecting data from server side in extensionrequest
Hmmm I'm sorry, but... SmartFoxServer uses Java on the server-side.. You're using SmartFoxServer, right?
The main Data Structures are mostly the same on both the server-side and the client. Which means, in this specific case, both the User Object on the cliand and on the server have an id property, which has the same value on both sides.
They may or may not be useful for your case scenario, if you can provide more details about the project, we can help you further
You can read more at the official documentation, specially the Java Server-side API Documentation and the C# Client API:
http://docs2x.smartfoxserver.com/api-do ... doc/server
http://docs2x.smartfoxserver.com/api-do ... Index.html
Cheers
The main Data Structures are mostly the same on both the server-side and the client. Which means, in this specific case, both the User Object on the cliand and on the server have an id property, which has the same value on both sides.
They may or may not be useful for your case scenario, if you can provide more details about the project, we can help you further
You can read more at the official documentation, specially the Java Server-side API Documentation and the C# Client API:
http://docs2x.smartfoxserver.com/api-do ... doc/server
http://docs2x.smartfoxserver.com/api-do ... Index.html
Cheers
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
Re: Injecting data from server side in extensionrequest
coolaneasy wrote:Basically if I can figure out how to access the User object for the request that is sent from the client to my server then I'm good to go.
Everything is on the documentation
You can find a reference to the User object which sent the request on the handleClientRequest(user, params) method of your client request handler class.
Skills: SFS Pro, SFS2X, AS2.0/AS3.0, Java, HTML5/CSS3/JS, C#
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
Portfolio: https://rjgtav.wordpress.com/
SFS Tutorials: http://sfs-tutor.blogspot.com/ - Discontinued. Some examples may be bugged.
-
- Posts: 36
- Joined: 26 Sep 2013, 18:26
Re: Injecting data from server side in extensionrequest
Hey actually User object might be unique to each player but is it safe??
Is it something that goes from client to smartfox or does smartfox have a mapping of ip address to User object??
Thanks
Is it something that goes from client to smartfox or does smartfox have a mapping of ip address to User object??
Thanks
Re: Injecting data from server side in extensionrequest
@coolaneasy:
Your question is not entirely clear to me. In particular what do you think it's not secure about the User ID?
It sounds like you are making assumptions that might not be correct.
Clients on the server side are not identified via their Id, so no one can "spoof" an identity by playing with user ids...
Thanks
p.s. = we also have a very detailed white paper on security here:
http://docs2x.smartfoxserver.com/Overview/white-papers
Your question is not entirely clear to me. In particular what do you think it's not secure about the User ID?
It sounds like you are making assumptions that might not be correct.
Clients on the server side are not identified via their Id, so no one can "spoof" an identity by playing with user ids...
Thanks
p.s. = we also have a very detailed white paper on security here:
http://docs2x.smartfoxserver.com/Overview/white-papers
-
- Posts: 36
- Joined: 26 Sep 2013, 18:26
Re: Injecting data from server side in extensionrequest
Okay let me try and explain better.
Currently we identify the unique player based on playerid which is sent as data in the ExtensionRequest command sent from client.
Obviously this is prone to snooping and hacking.
Now if smartfox was doing something similar and userid was sent from the client as well then that beats the whole point.
However if smartfox was keeping track of what ip the request came from and mapped that ip to its User object then yes that would work completely fine for me.
Is that a lil better explanation??
Thanks
Currently we identify the unique player based on playerid which is sent as data in the ExtensionRequest command sent from client.
Obviously this is prone to snooping and hacking.
Now if smartfox was doing something similar and userid was sent from the client as well then that beats the whole point.
However if smartfox was keeping track of what ip the request came from and mapped that ip to its User object then yes that would work completely fine for me.
Is that a lil better explanation??
Thanks
-
- Posts: 36
- Joined: 26 Sep 2013, 18:26
Re: Injecting data from server side in extensionrequest
So I also went through the security whitepaper and I was talking about extension level security and Input validation....
Now my question is it possible for client A(while using his own account) to make changes to his request so that smartfox thinks the request is from another account. This is the security issue I'm trying to address.
1. How does smartfox determine what user is sending the request?
2. How is it safe from a client modifying static data such as userid and ip address that the request is coming from.
I did read about how it does not use http cookies which makes it more secure but not sure how and how it prevents a connected logged in user from making modifications to his request to make it seem like its coming from some other source and hence fool server in doing something that is not necessarily legit. One can argue that oh the server will send data the forged ip and hence the client A may never receive response but there still could be a problem if the server actually does some logic for client B cause of the forged request from A which is wrong.
I hope thats some better explanation.
Thanks
Now my question is it possible for client A(while using his own account) to make changes to his request so that smartfox thinks the request is from another account. This is the security issue I'm trying to address.
1. How does smartfox determine what user is sending the request?
2. How is it safe from a client modifying static data such as userid and ip address that the request is coming from.
I did read about how it does not use http cookies which makes it more secure but not sure how and how it prevents a connected logged in user from making modifications to his request to make it seem like its coming from some other source and hence fool server in doing something that is not necessarily legit. One can argue that oh the server will send data the forged ip and hence the client A may never receive response but there still could be a problem if the server actually does some logic for client B cause of the forged request from A which is wrong.
I hope thats some better explanation.
Thanks
Re: Injecting data from server side in extensionrequest
coolaneasy wrote:However if smartfox was keeping track of what ip the request came from and mapped that ip to its User object then yes that would work completely fine for me.
Is that a lil better explanation??
Yes, that's how it works. The server recognizes users from their connection, not even the IP, it's more than that because behind an IP there can be dozens of users, at times.
So I also went through the security whitepaper and I was talking about extension level security and Input validation....
Now my question is it possible for client A(while using his own account) to make changes to his request so that smartfox thinks the request is from another account. This is the security issue I'm trying to address.
No, it is not possible.
2. How is it safe from a client modifying static data such as userid and ip address that the request is coming from.
A User can't do that.
1) Client requests don't contain any user id, because as I said it's not necessary to identify the requester. The physical TCP connection is the ID
2) You can't mess with the IP address while your connection is active.
I did read about how it does not use http cookies which makes it more secure but not sure how and how it prevents a connected logged in user from making modifications to his request to make it seem like its coming from some other source and hence fool server in doing something that is not necessarily legit. One can argue that oh the server will send data the forged ip and hence the client A may never receive response but there still could be a problem if the server actually does some logic for client B cause of the forged request from A which is wrong.
None of this applies to SmartFoxServer, because there's no HTTP involved here. Just raw sockets which require a persistent connection.
-
- Posts: 36
- Joined: 26 Sep 2013, 18:26
Re: Injecting data from server side in extensionrequest
Awesome. Thanks
Who is online
Users browsing this forum: No registered users and 51 guests