Author Topic: Suggestions: custom security  (Read 328 times)

Legacy_Pearls

  • Full Member
  • ***
  • Posts: 194
  • Karma: +0/-0
Suggestions: custom security
« on: October 27, 2012, 02:24:54 pm »


                I wish to improve player account security compared to our current setup and need some input from users about which would be the least troublesome, i have some ideas but havent had time to test them because some would be time consuming atm, if anyone has better ideas let me know

1. our website already has support for acc names+pw, we use a modified executable and i could prolly check hashed acc+pw to database if the client stores it, but this way would require edit of both lin+win client

2. i could force new acc registrations to enter their public cdkey or bind the 1st game login key + acc name together, i dont think players know their own public cdkey but this could be abused maybe

3. give players a generated login code to bind client data to db acc, prolly just 4 digits so its easy for players
               
               

               
            

Legacy_Fester Pot

  • Hero Member
  • *****
  • Posts: 1698
  • Karma: +0/-0
Suggestions: custom security
« Reply #1 on: October 27, 2012, 02:41:03 pm »


               Give this a look over and see if it suits your second request.

FP!
               
               

               


                     Modifié par Fester Pot, 27 octobre 2012 - 01:42 .
                     
                  


            

Legacy_Rolo Kipp

  • Hero Member
  • *****
  • Posts: 4349
  • Karma: +0/-0
Suggestions: custom security
« Reply #2 on: October 27, 2012, 04:50:58 pm »


               <blowing dust...>

You might also consider developing a more forward-thinking system with the potential to allow both heavier security and the development of a trust-based PC migration system using GPG - peruse, if you will, my thread GPG and saved characters :-)

No ones tried, yet. But it has some wonderful possibilities...

<...off an old idea>
               
               

               
            

Legacy_Pearls

  • Full Member
  • ***
  • Posts: 194
  • Karma: +0/-0
Suggestions: custom security
« Reply #3 on: October 28, 2012, 01:43:59 am »


               thanks fp and rolo, atm im looking more into my 3rd option in the op, the 2nd one presents some flaws but is easiest, the 1st one might be most secure but is a lot of work for me atm. if i use the 3rd method i can update the players db profile when someone validates a new character code instead of multiple checks, but that isnt foolproof either, i might come back to this when im done with the site '=]'
               
               

               
            

Baaleos

  • Administrator
  • Hero Member
  • *****
  • Posts: 1916
  • Karma: +0/-0
Suggestions: custom security
« Reply #4 on: October 29, 2012, 04:54:08 pm »


               thought this might be useful.

http://www.nwnx.org/...opic.php?t=2022

Essentially:
One of the limitations we have with nwn at the moment, is that if you want to get information in and out of nwn, you need to rely upon nwn events such as
onClientEnter - which leaves you at the mercy of waiting for data to be returned in the database- to determine if the user has the appropriate access.

eg:
In the old' days, I used to integrate my Forum Shop with the game server. Anything purchased would be received in-game. (in-game currency was used)
To facilitate this, I had to run a php script every 5 minutes that transfered the items from the webSite database, to the game database.


The new thing I have developed as a proof of concept, shows how to implement WebServices with nwn.

<?php
$request = $_GET["request"];


if($request == "GetForumMemberID")
{
 $MemberName = $_GET["membername"];
  //echo $MemberName;
  echo GetForumMemberID($MemberName);
  exit;
}
if($request == "GetForumUserEmailByID")
{
 $MemberID = $_GET["memberid"];
  //echo $MemberName;
  echo GetForumUserEmailByID($MemberID);
  exit;
}
if($request == "GetForumUserEmailByUserName")
{
 $MemberName = $_GET["membername"];
  //echo $MemberName;
  echo GetForumUserEmailByUserName($MemberName);
  exit;
}




function GetForumMemberID($strUsername)
{

$username = "DB_User";
$password = "DB_Pass";

$con = mysql_connect("localhost",$username,$password);
 if (!$con)
   {
   die('Could not connect: ' . mysql_error());
   }
 
mysql_select_db("your_db", $con);
 
$result = mysql_query("SELECT * FROM smf_members where member_name like '%".$strUsername."%' limit 1");
 
while($row = mysql_fetch_array($result))
   {
      return $row['id_member'];
   }
 
mysql_close($con);

}


function GetForumUserEmailByID($ID)
{

$username = "DB_User";
$password = "DB_Pass";

$con = mysql_connect("localhost",$username,$password);
 if (!$con)
   {
   die('Could not connect: ' . mysql_error());
   }
 
mysql_select_db("your_db", $con);
 
$result = mysql_query("SELECT email_address FROM smf_members where id_member = '".$ID."' limit 1");
 
while($row = mysql_fetch_array($result))
   {
      return $row['email_address'];
   }
 
mysql_close($con);

}

function GetForumUserEmailByUserName($UserName)
{

$username = "DB_User";
$password = "DB_Pass";

$con = mysql_connect("localhost",$username,$password);
 if (!$con)
   {
   die('Could not connect: ' . mysql_error());
   }
 
mysql_select_db("your_db", $con);
 
$result = mysql_query("SELECT email_address FROM smf_members where member_name like '%".$UserName."%' limit 1");
 
while($row = mysql_fetch_array($result))
   {
      return $row['email_address'];
   }
 
mysql_close($con);

}





?>

Now - I can have a php file like this.

A nwnx Plugin Modification I have, allows me to query this php page, and look for the output, and then return it to nwn immediately.
(no waiting 5 minutes for scripts to run)

I have a function very much like this on my Forum / GameServer

function GetForumUserEmailByUserName($UserName)
{

$username = "DB_User";
$password = "DB_Pass";

$con = mysql_connect("localhost",$username,$password);
 if (!$con)
   {
   die('Could not connect: ' . mysql_error());
   }
 
mysql_select_db("your_db", $con);
 
$result = mysql_query("SELECT email_address FROM smf_members where member_name like '%".$UserName."%' limit 1");
 
while($row = mysql_fetch_array($result))
   {
      return $row['email_address'];
   }
 
mysql_close($con);

}

But instead of returning the users e-mail, it returns their member group.
I use this to grant features/items/subraces to specific user groups on my forums.

Heck - if they dont meet the membergroup requirements - the GAME even sends them an e-mail explaining why they are being booted.
(Using the above method to get their e-mail address: Assuming they are registered on the forum)

If the e-mail address comes back as blank - assumes they arent registered, or havent linked their account to the forum yet- so displays a message before booting them.

I would definitely recommend using nwnx - as it makes the possibilities almost limitless for your server.
               
               

               
            

Legacy_Pearls

  • Full Member
  • ***
  • Posts: 194
  • Karma: +0/-0
Suggestions: custom security
« Reply #5 on: October 31, 2012, 06:04:30 am »


               we cant use nwnx plugins for this server but the method is solid and i can adapt whatever doesnt fit, many thanks ill prolly be copying that =P
               
               

               


                     Modifié par Pearls, 31 octobre 2012 - 06:05 .