Hi,
I´m developing a web site with Symfony (PHP Framework), Flash and SmartFoxServer PRO. The users login in Symfony(PHP) and the session save in database.
I need access to data user form smartfoxserver. In Step 1, I use loadVars (POST method) for get the session id from flash (client). In Step 2 a send the session id to SmartFox. I am concerned for the security. What do you recommend?
Excuse me for my english.
Thanks.
How to get the session id from PHP in a safe
The best way would be the following:
1- User login in your website, via PHP
2- User starts the multiplayer game/chat
3- Your SFS server side code access the Symphony database (mysql?) and sees if the user with that name is really logged in
This way you avoid that someone attempts to skip the PHP login part and tried to freely log into the multiplayer application.
SmartFoxServer can talk directly to any database so it's quite easy to perform the check before allowing the user inside.
You can check the documentation (chapter 6) for all the details and examples (chapter
on how to work with a database
http://www.smartfoxserver.com/docs/
1- User login in your website, via PHP
2- User starts the multiplayer game/chat
3- Your SFS server side code access the Symphony database (mysql?) and sees if the user with that name is really logged in
This way you avoid that someone attempts to skip the PHP login part and tried to freely log into the multiplayer application.
SmartFoxServer can talk directly to any database so it's quite easy to perform the check before allowing the user inside.
You can check the documentation (chapter 6) for all the details and examples (chapter
on how to work with a databasehttp://www.smartfoxserver.com/docs/
Hi Lapo,
Is your method not vulnerable?
Say a user X logged on to the website
and a user Y can easily hijack X's session by simply sending X's login name to SFS.
A work around can be to track IP, but that would mean users behind proxy might not be able to login or users behind proxy can hijack sessions.
I think a better way would be:
1- Generate a md5 hash of (session_id + some static user data)
2- Send this as get variable to the SFS client link (sth like, SFSClient.swf?randlink_id = 890809a8sdf9d8fas9d8fas9f). The client in turn sends it to the server
3 - Now read the session ID from DB on SFS Server and try regenerating the hash and if both the getHash and generatedHash match, you have a valid login.
Let me know if someone can think of a better way.
Is your method not vulnerable?
Say a user X logged on to the website
and a user Y can easily hijack X's session by simply sending X's login name to SFS.
A work around can be to track IP, but that would mean users behind proxy might not be able to login or users behind proxy can hijack sessions.
I think a better way would be:
1- Generate a md5 hash of (session_id + some static user data)
2- Send this as get variable to the SFS client link (sth like, SFSClient.swf?randlink_id = 890809a8sdf9d8fas9d8fas9f). The client in turn sends it to the server
3 - Now read the session ID from DB on SFS Server and try regenerating the hash and if both the getHash and generatedHash match, you have a valid login.
Let me know if someone can think of a better way.
Yes, I think you are right.
In fact we strongly recommend to always use a server side extension for handling the login and use our secure login technique as explained in the documentation:
This will provide the best security for any SFS-based application:
http://www.smartfoxserver.com/docs/docP ... /index.htm
In fact we strongly recommend to always use a server side extension for handling the login and use our secure login technique as explained in the documentation:
This will provide the best security for any SFS-based application:
http://www.smartfoxserver.com/docs/docP ... /index.htm