Forum ‹ Multiplayer ‹ Validating user logins

[EgoAnt]

I was thinking I would use the following method for verifying users:

Step 1, user logs in with name and password, server returns player name and a generated secret key
Step 2, client passes player name and the login key to PlayerIO server
Step 3, PlayerIO passes a secret authentication code and the player's secret key to the original server to verify

What I mostly want to know is if it is possible for the PlayerIO .dll file to pass these variables to a remote server and have that server return a simple yes or no to the authentication.

[Tsuken]

no, I think I read somewhere that playerio will not allow you to connect to any other server from server-side.

[Cyclone103]

From serverside no, (I think), but you can do whatever you want clientside.

The serverside thing is to protect the whole server from harm, even though everything is sandboxed.

[mjdeslon]

I am getting ready to write this kind of code tonight...if someone is interested i can post what I did...assuming it works

[EgoAnt]

I can't wait to see what you come up with, mjdeslon.

For now my new plan is to use a service like GamerSafe or Mochi to handle the login / monetizing and just use PlayerIO for the multiplayer code.

[Tsuken]

I was thinking the same EgoAnt

[Oliver]

So, you've got your users in some sort of database, and you want to get them playing your game, where you know for sure that everybody is who they say they are. The documentation on connections has information about how this should be achieved, but I'll try to distill the core here.

Presenting....

The way to do secure authentication with an external userbase
What you'll need to is to give the connection you're connecting with a secret key and toggle it's "Require Authentication" checkbox to "on". This is done in the admin panel under settings for your game.

From then, you'll need to pass in an auth-hash everytime you call playerio.connect(...), otherwise you'll get an error back.

The auth-hash is generated based on the user-id you're passing into the player.io connect method. You can find more information about how to generate the auth-hash from a userid and secretkey here: http://playerio.com/documentation/connections.

So, in order to have 3rd party authentication with your own userbase from inside your flash file, this would be the approach:

1. Toggle on "Require Authentiction" and add a secret key to one of your connections
2. Make a webpage on your servers somewhere, that takes a username & password (or other auth information) and returns the arguments to the playerio.connect(...) method, including an auth-hash generated by your servers.
3. In your flash file, present the user with username & password fields, and call your new webpage when the user wants to login. Then, take the return values and pass into the playerio.connect(...) method.

In another case, you might be building a Facebook app, where you know that the user is always logged in. Then, the process becomes a bit simpler:

1. Toggle on "Require Authentiction" and add a secret key to one of your connections
2. When outputting the flash embed tag, add flash vars for user-id and auth-hash that you generate on your serverside (php, django, rails etc...)
3. In your flash file use the arguments received from the flash vars when calling the
   playerio.connect(...) method.

[EgoAnt]

Okay, I sat down to work with this a bit today and am a little stumped. First, is there a way to set this up to test on the local machine? The other thing I am having trouble with is finding a way to secure passing the user's equipment list to the server for validation.

Here is the scenario: I want the player to log in and then have the database pass a list of the player's equipment to PlayerIO, since the equipment affects their combat damage. I would like to be able to encrypt these values using a secret key and the player's name in order to validate them on the server side. It seems that I can't use System.Security.Cryptography in PlayerIO, though. Is there another way to do this? I don't want people throwing off the balance of the game by spoofing the most powerful items in the game.

[Oliver]

I just re-read the entire thread, and want to make a few comments:

Requesting external web-pages from serverside code
This will be possible in a future release; we're just not sure when and how it will happen.

...is there a way to set this up to test on the local machine?
We don't distinguish between Live and Debug mode for authentication, so yes; you can test it locally.

You can either setup a webpage to generate the connect arguments (user-id, auth...) for you, or simply generate them once and paste them into your .as file while you develop.

Maybe i'm not fully understanding the question?

Passing extra data than just the user-id auth
The auth-hash is only for the connect-userid. We've done a little bit of thinking around having the connect method take optional extra data, that is also validated, but we're not sure it'll be the right approach. It's more likely that when we launch our database solution, it will be the preferred way to pass data from an external server to us without touching the client.

It seems reasonable that Cryptography should be available from the serverside code. I'll get someone to do some research into wich classes can be added to the white-list, so you can use the method you describe (which makes total sense to me).

Which cryptography classes did you want to use?

[EgoAnt]

I could be faulty in my logic here, but here's the basic idea:

From my server I will create a string that is composed of the player's name, the ID of their equipped weapon, the ID of their equipped shield, and a secret key. Then I will pass that information through Flash to PlayerIO. PlayerIO can then recreate the hash to validate that that particular user is allowed to have these items. I can also use it in the reverse order when someone earns a new piece of equipment, so that the server can be somewhat assured that the equipment was granted by PlayerIO.

Either MD5 or SHA1 should be sufficient for this:
http://msdn.microsoft.com/en-us/library ... y.md5.aspx
http://msdn.microsoft.com/en-us/library ... .sha1.aspx

[Oliver]

That seems very reasonable

I'll get some cryptography support added.

[Cyclone103]

SHA1 is more secure than MD5.

Thanks for adding this Oliver!

[EgoAnt]

In the meantime I just wrote my own (not very secure) authentication system, and will add in something a bit more robust when it is available. I'm on a major roll right now and don't want to get hung up. Still, I hope this is available soon!

[Oliver]

Cryptography support already in the internal build of the next version -- it'll be out this week.

[EgoAnt]

Wow! That was fast!

[Cyclone103]

Looking forward to it, thanks Oliver!

[Oliver]

And.... there! It's out

Also, did you want to do an intro screencast ?

[EgoAnt]

Yeah, I think I'll do a little "using cryptography" screencast. I'm just testing my first attempt to make sure it works and then I'll try to get something worked out early next week.

[Cyclone103]

Maybe some sample code as well?


Thanks oliver!

[EgoAnt]

WOOT! SHA1 is in the house! Okay, so my test is complete, I'll try to put up a tutorial / screencast over the weekend with source code. Thanks guys! This really helps!

[Oliver]

Groovy, awesome! Thanks!