Online RPG Secure Login and Player Actions

[Rayexar]

Hi,

I'm working on an online RPG type thing, where user stats are stored in a MySQL database. Basically I'm not sure how to allow the players to perform actions securely after they've logged in. I could have done it by letting the client know that the player successfully logged in, and allowing actions to be sent to the server, but my friend (who can hack games) said it's not very secure.

The other method I thought of is to check whether the username and password entered by the player is correct every time he/she tries to perform an action, but that seems inefficient.

EDIT: I'm using Kryonet for the networking.

Any ideas?

Thanks!

[trollwarrior1]

I made really simple prototype of my RPG game networking, and the way I did it was something like this:
-Try to login.
-If login successful, generate a key of 30 random characters and send it to the person who tried to login.
-When person wants to do a certain action, send the action along with the key.
-Server should check all the keys it generated and apply action to the player with that key. I think you understand.

You could also generate key every 10 seconds or something. That would make it even more secure.

EDIT:

For maximum security, do ALL the game LOGIC on the server. If you want to move to certain tile, check all the collision and everything on the server. Don't let client do anything, except for taking inputs.

[Rayexar]

Wow that was a fast reply lol, thanks!

I understand your idea, but how would you generate a key, and where would it be stored on the server? In the actual server application, or the database?

Games published by our own members! Check 'em out!

[trollwarrior1]

Let's say we have a player list. When player logs in, we add that player to the server's player list along with the generated key. That key would be generated once every login / after some time periods.

I don't even know why are you using database. You probably don't know how to make an online game yet, and you're already thinking about how to store data. First you should make an online RPG game where you can actually do something, then think about storage.

I think you should just do the server like you can. If it is your first server, it doesn't have to be secure, it just has to work.

[Mac70]

Three tips:

1. Use encryption algorithm with public and private keys generated each time player log in/register/want to send any data which must be secured. Public key is sent to client and used to encrypt passwords/emails, then secured data is sent back to the server and decrypted using private key.
2. If you store passwords on server, salt and hash them before saving. Store salt (not secured in any way) together with password. When client log in, add salt to received password, hash it and compare with hashed password on server. Create new salt each time user register/change password.
3. Take a look at java.security package, especially KeyFactory, KeySpec, PublicKey, PrivateKey, Cipher, SecureRandom.

Some code:

1. Very simple salt generator:

1   2   3

public static String newSalt() {         return new String(new SecureRandom().generateSeed(20));     }

2. Generation of public and private keys:

1   2   3   4

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");             KeyPair keyPair = keyPairGenerator.generateKeyPair();             PublicKey publicKey = keyPair.getPublic();             PrivateKey privateKey = keyPair.getPrivate();

[CTucker1327]

Also, make sure to not give the client any direct access to the SQL Database, make sure everything is done Server-Sided and try to use PreparredStatements if at all possible to void out SQLInjection.