Forum QuickConnect Facebook Security Problem

Discussion and help relating to PlayerIO's QuickConnect feature, including Facebook Connect and Kongregate Connect.

Facebook Security Problem

Postby radmahdi » April 13th, 2015, 1:53 am

Hi,

I have a Facebook app. For each user, it connects to FB using Graph API first, then it gets the user's FB ID and use it to connect to game server, as follow:

Code: Select all
function MyGame(){
Facebook.init(<FB APP ID>, loginHandler);
}

protected function loginHandler(success:Object, fail:Object):void{
  if(success) {
    playerID = success.uid;
    Facebook.api(Facebook.getAuthResponse().uid, getMeHandler);   
  }
}

protected function getMeHandler(result:Object,fail:Object):void{

PlayerIO.connect(
  stage,                          //Referance to stage
  gameID,                        //Game id (Get your own at playerio.com)
  "public",                       //Connection id, default is public
  playerID,                        //Us
  "",                                //User auth. Can be left blank if authentication is disabled on connection
  null,                        //Current PartnerPay partner.
  handleConnect,                  //Function executed on successful connect
  handleError                     //Function executed if we recive an error
);
}

The problem is that, the users can use cheatEngine, and change the playerID before connecting to the game server, then they are connected as other user.
I tried to understand quickconnect https://gamesnet.yahoo.net/documentation/reference/actionscript3/playerio.quickconnect, but since there is no example, I could not make it.

I appreciate if any one could give me an idea, how can I protect the game from memory scanners?

Best
radmahdi
 
Posts: 16
Joined: July 1st, 2011, 11:27 pm

Re: Facebook Security Problem

Postby Henrik » April 15th, 2015, 4:10 am

Use Authenticate instead of QuickConnect:

https://gamesnet.yahoo.net/documentatio ... n/facebook

https://gamesnet.yahoo.net/documentatio ... thenticate

You only need to pass in the Facebook access token, and there's no way for your players to impersonate another Facebook user.
Henrik
.IO
 
Posts: 1832
Joined: January 4th, 2010, 1:53 pm


Return to QuickConnect



cron