Java-Gaming.org    
Featured games (91)
games approved by the League of Dukes
Games in Showcase (580)
games submitted by our members
Games in WIP (500)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Online RPG Secure Login and Player Actions  (Read 1245 times)
0 Members and 1 Guest are viewing this topic.
Offline Rayexar

Junior Member


Medals: 2



« Posted 2013-12-12 13:35:03 »

Hi,

I'm working on an online RPG type thing, where user stats are stored in a MySQL database. Basically I'm not sure how to allow the players to perform actions securely after they've logged in. I could have done it by letting the client know that the player successfully logged in, and allowing actions to be sent to the server, but my friend (who can hack games) said it's not very secure.

The other method I thought of is to check whether the username and password entered by the player is correct every time he/she tries to perform an action, but that seems inefficient.

EDIT: I'm using Kryonet for the networking.

Any ideas?

Thanks!

Offline trollwarrior1
« Reply #1 - Posted 2013-12-12 13:41:54 »

I made really simple prototype of my RPG game networking, and the way I did it was something like this:
-Try to login.
-If login successful, generate a key of 30 random characters and send it to the person who tried to login.
-When person wants to do a certain action, send the action along with the key.
-Server should check all the keys it generated and apply action to the player with that key. I think you understand.

You could also generate key every 10 seconds or something. That would make it even more secure.

EDIT:

For maximum security, do ALL the game LOGIC on the server. If you want to move to certain tile, check all the collision and everything on the server. Don't let client do anything, except for taking inputs.
Offline Rayexar

Junior Member


Medals: 2



« Reply #2 - Posted 2013-12-12 13:53:49 »

Wow that was a fast reply lol, thanks!

I understand your idea, but how would you generate a key, and where would it be stored on the server? In the actual server application, or the database?
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline trollwarrior1
« Reply #3 - Posted 2013-12-12 14:03:12 »

Let's say we have a player list. When player logs in, we add that player to the server's player list along with the generated key. That key would be generated once every login / after some time periods.

I don't even know why are you using database. You probably don't know how to make an online game yet, and you're already thinking about how to store data. First you should make an online RPG game where you can actually do something, then think about storage.

I think you should just do the server like you can. If it is your first server, it doesn't have to be secure, it just has to work.
Offline Mac70
« Reply #4 - Posted 2013-12-12 14:15:27 »

Three tips:

1. Use encryption algorithm with public and private keys generated each time player log in/register/want to send any data which must be secured. Public key is sent to client and used to encrypt passwords/emails, then secured data is sent back to the server and decrypted using private key.
2. If you store passwords on server, salt and hash them before saving. Store salt (not secured in any way) together with password. When client log in, add salt to received password, hash it and compare with hashed password on server. Create new salt each time user register/change password.
3. Take a look at java.security package, especially KeyFactory, KeySpec, PublicKey, PrivateKey, Cipher, SecureRandom.

Some code:

1. Very simple salt generator:

1  
2  
3  
    public static String newSalt() {
        return new String(new SecureRandom().generateSeed(20));
    }


2. Generation of public and private keys:

1  
2  
3  
4  
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            KeyPair keyPair = keyPairGenerator.generateKeyPair();
            PublicKey publicKey = keyPair.getPublic();
            PrivateKey privateKey = keyPair.getPrivate();

Check out my Devblog! Smiley
Offline CTucker1327
« Reply #5 - Posted 2013-12-13 14:08:33 »

Also, make sure to not give the client any direct access to the SQL Database, make sure everything is done Server-Sided and try to use PreparredStatements if at all possible to void out SQLInjection.
Pages: [1]
  ignore  |  Print  
 
 

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

xsi3rr4x (48 views)
2014-04-15 18:08:23

BurntPizza (44 views)
2014-04-15 03:46:01

UprightPath (60 views)
2014-04-14 17:39:50

UprightPath (42 views)
2014-04-14 17:35:47

Porlus (58 views)
2014-04-14 15:48:38

tom_mai78101 (81 views)
2014-04-10 04:04:31

BurntPizza (140 views)
2014-04-08 23:06:04

tom_mai78101 (240 views)
2014-04-05 13:34:39

trollwarrior1 (200 views)
2014-04-04 12:06:45

CJLetsGame (207 views)
2014-04-01 02:16:10
List of Learning Resources
by SHC
2014-04-18 03:17:39

List of Learning Resources
by Longarmx
2014-04-08 03:14:44

Good Examples
by matheus23
2014-04-05 13:51:37

Good Examples
by Grunnt
2014-04-03 15:48:46

Good Examples
by Grunnt
2014-04-03 15:48:37

Good Examples
by matheus23
2014-04-01 18:40:51

Good Examples
by matheus23
2014-04-01 18:40:34

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:22:30
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!