Click here to Skip to main content
15,943,365 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hello,

I'm developing a game server with a WinForms client for testing. I've set up a packet system where, for example to simulate a player sending a chat message in game, the client constructs a PacketPlayerChat(string message), serializes it and sends it to the server. The server then uses the header data in the packet to reconstruct the correct packet type and fill in its values.

When the client connects to the server, simulating a player joining a server in-game, they need to authenticate. The way I'm thinking to do this is to do the following:

• Client connects to game server
• Game Server sends a PacketServerRequestAuth()
• Client sends PacketPlayerAuth(string username, string password)
• Game Server then validates this with the auth server
• The game server sends a PacketServerAuthResult(AuthResult result) depending on the login result
• If login failed, the game server closes the client connection


Of course, username and password will be encrypted.

If this a secure method? I'm aware that a modded server will allow the user to capture encrypted usernames and password, but they're useless to them.

A concern is that a modded server owner could capture the encrypted username and password, and request an auth from the auth server at any given time, making the auth server think the player has logged in (may cause havoc with login statistics).

I think it's best to include some sort of one-use token; if this is a good idea, what's the best way to implement it?

One idea I had is:

• Client requests a token from the auth server
• Client sends login details along with token to the game server
• Game server authenticates user with auth server, which is only possible if the token is valid, and it's one-use.
• Auth server ignores auth requests if the token is invalid.

What I have tried:

Thinking. About a lot of things.
Posted
Comments
George Swan 10-Dec-17 4:35am    
Have you considered implementing Scram-SHA-1 as an authentication method? There is a good article at https://www.mongodb.com/blog/post/improved-password-based-authentication-mongodb-30-scram-explained-part-1

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900