Hi !
Featured games (90)
games approved by the League of Dukes
Games in Showcase (777)
Games in Android Showcase (231)
games submitted by our members
Games in WIP (856)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Online RPG Secure Login and Player Actions  (Read 5469 times)
0 Members and 1 Guest are viewing this topic.
Offline Rayexar
« Posted 2013-12-12 12:35:03 »


I'm working on an online RPG type thing, where user stats are stored in a MySQL database. Basically I'm not sure how to allow the players to perform actions securely after they've logged in. I could have done it by letting the client know that the player successfully logged in, and allowing actions to be sent to the server, but my friend (who can hack games) said it's not very secure.

The other method I thought of is to check whether the username and password entered by the player is correct every time he/she tries to perform an action, but that seems inefficient.

EDIT: I'm using Kryonet for the networking.

Any ideas?


Offline trollwarrior1
« Reply #1 - Posted 2013-12-12 12:41:54 »

I made really simple prototype of my RPG game networking, and the way I did it was something like this:
-Try to login.
-If login successful, generate a key of 30 random characters and send it to the person who tried to login.
-When person wants to do a certain action, send the action along with the key.
-Server should check all the keys it generated and apply action to the player with that key. I think you understand.

You could also generate key every 10 seconds or something. That would make it even more secure.


For maximum security, do ALL the game LOGIC on the server. If you want to move to certain tile, check all the collision and everything on the server. Don't let client do anything, except for taking inputs.
Offline Rayexar
« Reply #2 - Posted 2013-12-12 12:53:49 »

Wow that was a fast reply lol, thanks!

I understand your idea, but how would you generate a key, and where would it be stored on the server? In the actual server application, or the database?
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline trollwarrior1
« Reply #3 - Posted 2013-12-12 13:03:12 »

Let's say we have a player list. When player logs in, we add that player to the server's player list along with the generated key. That key would be generated once every login / after some time periods.

I don't even know why are you using database. You probably don't know how to make an online game yet, and you're already thinking about how to store data. First you should make an online RPG game where you can actually do something, then think about storage.

I think you should just do the server like you can. If it is your first server, it doesn't have to be secure, it just has to work.
Offline Mac70
« Reply #4 - Posted 2013-12-12 13:15:27 »

Three tips:

1. Use encryption algorithm with public and private keys generated each time player log in/register/want to send any data which must be secured. Public key is sent to client and used to encrypt passwords/emails, then secured data is sent back to the server and decrypted using private key.
2. If you store passwords on server, salt and hash them before saving. Store salt (not secured in any way) together with password. When client log in, add salt to received password, hash it and compare with hashed password on server. Create new salt each time user register/change password.
3. Take a look at package, especially KeyFactory, KeySpec, PublicKey, PrivateKey, Cipher, SecureRandom.

Some code:

1. Very simple salt generator:

    public static String newSalt() {
        return new String(new SecureRandom().generateSeed(20));

2. Generation of public and private keys:

            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            KeyPair keyPair = keyPairGenerator.generateKeyPair();
            PublicKey publicKey = keyPair.getPublic();
            PrivateKey privateKey = keyPair.getPrivate();
Offline CTucker1327
« Reply #5 - Posted 2013-12-13 13:08:33 »

Also, make sure to not give the client any direct access to the SQL Database, make sure everything is done Server-Sided and try to use PreparredStatements if at all possible to void out SQLInjection.
Pages: [1]
  ignore  |  Print  

hadezbladez (335 views)
2018-11-16 13:46:03

hadezbladez (180 views)
2018-11-16 13:41:33

hadezbladez (336 views)
2018-11-16 13:35:35

hadezbladez (82 views)
2018-11-16 13:32:03

EgonOlsen (2177 views)
2018-06-10 19:43:48

EgonOlsen (2205 views)
2018-06-10 19:43:44

EgonOlsen (1376 views)
2018-06-10 19:43:20

DesertCoockie (2008 views)
2018-05-13 18:23:11

nelsongames (1646 views)
2018-04-24 18:15:36

nelsongames (2297 views)
2018-04-24 18:14:32
Deployment and Packaging
by mudlee
2018-08-22 18:09:50

Java Gaming Resources
by gouessej
2018-08-22 08:19:41

Deployment and Packaging
by gouessej
2018-08-22 08:04:08

Deployment and Packaging
by gouessej
2018-08-22 08:03:45

Deployment and Packaging
by philfrei
2018-08-20 02:33:38

Deployment and Packaging
by philfrei
2018-08-20 02:29:55

Deployment and Packaging
by philfrei
2018-08-19 23:56:20

Deployment and Packaging
by philfrei
2018-08-19 23:54:46 is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!