Forum QuickConnect Option To Disable Connect() For Increased Security

Discussion and help relating to PlayerIO's QuickConnect feature, including Facebook Connect and Kongregate Connect.

Option To Disable Connect() For Increased Security

Postby Dg74 » July 31st, 2012, 8:01 pm

I am sure I am not alone when I say what really brought me to PlayerIO is how it eliminates the hassle of managing your own servers. However, right now I see no viable way of making a secure login and guest system without setting up my own server. As the connection documentation says
Per default, anybody can connect to any connection with any user if they simply know the gameid and connectionid. Since this is insecure, you can specify that connections require authentication via a secret key.

Unless you set up your own server to use a secret key or use a 3rd party login system there is nothing stopping someone from connecting with the UserID of ‘simpleHighRankedPlayerGuy’ or ‘simpleAdminMan’ and being treated as though they were that player who had logged in with that player's password.
From my understanding a simple solution would be a connection option to simply disable connecting using the Connect() method and require that a client must use simpleConnect() or one of the other validated methods of connecting. Similar to how you have the option to require a Email when registering, you would just be requiring a password to connect. If user decided to play as a guest the client would connect with a UserID of “Guest” and a public, pre-set password. Now someone cannot login with whatever userID they want unless they also know that user's password.
Right now I cannot figure out a way with the current options of avoiding a server without compromising security and I believe adding this option would be a valuable feature.

Please correct me if I misunderstood something about user verification or the documentation. I am in no way very knowledgeable on this subject. Hopefully this is a viable, easy to implement feature. If not… well I’ll have to figure something else out or just accept that my game is not secure without a separate server. I just thought I would make the suggestion :)
Dg74
 
Posts: 12
Joined: May 19th, 2011, 9:33 pm

Re: Option To Disable Connect() For Increased Security

Postby Henrik » August 1st, 2012, 10:23 am

Regular connect is for people who already have a website with a user database and where they can securely generate the authentication key for each user.To disable the public connection for regular connects, just check "Require Authentication" and enter a random string as the shared secret, and enable QuickConnect for Simple Users. That way you get exactly what you're asking for, i.e. the only way to connect to your game is by entering the correct username and password.
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: Option To Disable Connect() For Increased Security

Postby Henrik » August 1st, 2012, 10:28 am

However, I agree that the documentation is a bit lacking in this area, and you're not the first guy to ask about how this works. I'll see if we can improve on that a bit in the future. :-)
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: Option To Disable Connect() For Increased Security

Postby Dg74 » August 2nd, 2012, 4:50 am

Henrik wrote:Regular connect is for people who already have a website with a user database and where they can securely generate the authentication key for each user.To disable the public connection for regular connects, just check "Require Authentication" and enter a random string as the shared secret, and enable QuickConnect for Simple Users. That way you get exactly what you're asking for, i.e. the only way to connect to your game is by entering the correct username and password.


O ok. Got it!

For some reason I was thinking that if I checked "Require Authentication" I would need to generate an authentication hash based off the UserID even while using Quick Connect, and thus need to place the shared secret with the client rendering it useless. (Silly me :? )

Well anyways, Thanks!
Dg74
 
Posts: 12
Joined: May 19th, 2011, 9:33 pm

Re: Option To Disable Connect() For Increased Security

Postby BadViking » August 15th, 2012, 12:31 pm

So how would you go about connecting guests if you disabled the Connect() method in this way? The only way I can think of is to register a guest account using quickConnect and connect to that when anyone signs in as a guest, but then you have the problem of all guests using the same account and therefore the same connectUserID. Is there a better way that I've missed?

P.S. I would also really appreciate some clearer documentation on this, including some usage examples of the authentication stuff. I understand the methodology but, for example, how would I generate the hashes securely in php without people being able to read my secret key?
BadViking
Paid Member
 
Posts: 15
Joined: April 29th, 2011, 10:31 am

Re: Option To Disable Connect() For Increased Security

Postby Henrik » August 15th, 2012, 12:46 pm

Well, if guests have unique userids, then they're not guests, are they? So making a shared account is the way to go.

We have code examples on how to generate auth-hashes in various languages at the bottom of this page:
http://playerio.com/documentation/connections
Henrik
.IO
 
Posts: 1880
Joined: January 4th, 2010, 1:53 pm

Re: Option To Disable Connect() For Increased Security

Postby mr_fiskers_fex » May 14th, 2013, 3:46 pm

Dg74 wrote:For some reason I was thinking that if I checked "Require Authentication" I would need to generate an authentication hash based off the UserID even while using Quick Connect, and thus need to place the shared secret with the client rendering it useless.


You're not the only one!

Sorry to bump an old topic, but this thread was a bit buried on the google search results, hopefully this will float it back up a little bit for other people who misunderstood how shared secrets / auth work. They only apply to the good old-fashioned .connect() method, but all of your existing quickConnect methods (whether it's by email, facebook, kong, etc.) will continue to function normally.
mr_fiskers_fex
Paid Member
 
Posts: 67
Joined: September 16th, 2012, 4:35 am


Return to QuickConnect