Author Topic: Global Login System (Implementation Discussion)  (Read 83953 times)

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Global Login System (Implementation Discussion)
« on: March 05, 2006, 08:46:55 PM »
Since it seems the global login system was the most popular wish for build 17, we need to come up with a good, secure method of implementing it so I can start coding.  Here's what I had in mind:

- Login names/passwords would be stored in a "central" server (most likely dpball.com) database.
- The passwords would be stored in some kind of encoded manner (the most popular method for this is md5sums, I think).
- For sending the login -- There's a way you're supposed to do this kind of thing to protect it from packet sniffers... the old "lock on a box" analogy.  I think the client sends an encrypted packet with its own key to the server.  The server then encrypts it with its key, sends it back to the client, the client decrypts with its key, sends back to the server, which decrypts with its key to get the login/password.  Is that right?  What encryption algorithm should we use?  Preferably something clean and lean (and free of patents).  For such a small amount of data, it won't need to be too robust, as I don't think anybody could crack it.
- When the server successfully logs into the central server, the central server assigns a temporary password to the client and the game server the client is connecting to.
- The client then logs into the game server with the temporary password (this is done behind the scenes - the client doesn't actually have to type this in).
- Once the client disconnects, the temporary password expires.

Smokey

  • Autococker
  • Posts: 1172
Re: Global Login System (Implementation Discussion)
« Reply #1 on: March 05, 2006, 08:50:48 PM »
sounds good , but would the registration process go through the same crap?

Eiii

  • Autococker
  • Posts: 4595
Re: Global Login System (Implementation Discussion)
« Reply #2 on: March 05, 2006, 09:01:37 PM »
What would be done if someone were to get someone else's password? How would that be handled?

KnacK

  • Global Moderator
  • Autococker
  • Posts: 3039
Re: Global Login System (Implementation Discussion)
« Reply #3 on: March 05, 2006, 09:12:24 PM »
THere are a few ways to do this.

1. Have the player login to their local client.  Have a registration type screen pop up where they enter some key info, set up a secured question and answer, and those results are encrypted and go back to the server.  But when the user registeres his client, a specific keygets generated based on a given piece of info that he enters.. That key is then sent back to teh server for safe keeping ansd that key is used for authentication

2.  Have the user log in to a central server where he enters key information  ie.. q and a stuff and a key is generated.  This key the user then enters in to his client which then authenticates the user and possibly generates a second clear key.

Remember: the user ID ( key or whatever ) can be encrypted and should be, as once its entered, no one needs to see it.  Even the DBA browsign the database.

Now for stats gathering, you might want a clear key that is generated based on info the user enters.

These are jsut some thoughts.

GreenAffairz

  • Autococker
  • Posts: 515
Re: Global Login System (Implementation Discussion)
« Reply #4 on: March 05, 2006, 09:59:31 PM »
ok all that sounds good but in the future will we have built-in player stats? ;p

P!nk

  • Autococker
  • Posts: 948
_
« Reply #5 on: March 05, 2006, 10:19:04 PM »
Post removed
« Last Edit: July 26, 2010, 02:41:38 AM by P!nk »

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Global Login System (Implementation Discussion)
« Reply #6 on: March 05, 2006, 10:41:25 PM »
KnacK:  I'm not sure if I follow, but it sounds kind of like we're saying the same thing.  The password would be encrypted in the database.  I'm not sure I see the need for questions and answers, though.  A simple username and password should be sufficient, no?

Also, it might be nice to be able to "save" your password, so that you don't have to log in every time you play.  I wonder what the most secure way to do that would be.

I'm going to implement the login system first, then we'll worry about stats later.  One thing at a time. :)  The two main purposes stats will serve right now are protecting users names and combating cheaters.

Oh, a couple notes I forgot to mention about the logins:
- They'd be alphanumeric only and case insensitive.  Color codes, spaces, splats, etc. will be stripped off (this should cut back on people doing clever things to create names that are visually the same, but technically different).
- There will be a primary name and two alternate names.  The primary name will remain the same, but the alternate names can be changed every, say, 2 weeks (in order to allow for clan tags and whatnot).

Eiii

  • Autococker
  • Posts: 4595
Re: Global Login System (Implementation Discussion)
« Reply #7 on: March 05, 2006, 10:50:59 PM »
Alternate names, eh? I think there should be a primary name, then a tag that would automatically be put in front of the name in brakets.

Smokey

  • Autococker
  • Posts: 1172
Re: Global Login System (Implementation Discussion)
« Reply #8 on: March 06, 2006, 12:35:17 AM »
what if its a clan that dosent have in in front.. or not brackets

Eiii

  • Autococker
  • Posts: 4595
Re: Global Login System (Implementation Discussion)
« Reply #9 on: March 06, 2006, 12:58:26 AM »
Meh. It'd just make tags universal.

KnacK

  • Global Moderator
  • Autococker
  • Posts: 3039
Re: Global Login System (Implementation Discussion)
« Reply #10 on: March 06, 2006, 05:25:26 AM »
the question and answer would be used to reissue a password.

ie.. skater forgets his password. He goes to teh web site and clicks on the " I R A dumbie and forgot my password" link.
From there he enters his primary user id.
A challenge phrase appears that he entered when he registerd:
 ie.. " What color is my white dog"
 and skater, having some sort of mental whit would respond to his previously entered resposnse :
" white"

I guess the main thing is we need to lay out exactly what is going to be accomplished by the gloabal login:

Stats user and clan
Security/fraud/theft of user name-id
clan membership
authentication of valid client software.

oh, while I'm thinking about it, the login might also grab the login IP address as well as the original IP address when the account was created.  This would also help in fraud cases within the DP community or if skater justreally was a dumbie and entered "red" for his response to his challenge phrase.

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Global Login System (Implementation Discussion)
« Reply #11 on: March 06, 2006, 01:29:15 PM »
I've never cared much for password retrieval questions.  People should just use passwords they remember.  I mean, what if skater's friend pretends to be skater forgetting his question, and, knowing the color of skater's white dog, answers correctly, thus gaining control of skater's account.  Plus they make things more complicated to implement.

KnacK

  • Global Moderator
  • Autococker
  • Posts: 3039
Re: Global Login System (Implementation Discussion)
« Reply #12 on: March 06, 2006, 02:31:41 PM »
it really does need to be in there, or it will be an admin's nightmare. :P

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Global Login System (Implementation Discussion)
« Reply #13 on: March 06, 2006, 04:30:37 PM »
I think a "forgot password"/"reset password" email is a better approach, personally.

KnacK

  • Global Moderator
  • Autococker
  • Posts: 3039
Re: Global Login System (Implementation Discussion)
« Reply #14 on: March 06, 2006, 08:13:48 PM »
ok...
grumblegrumblegrumble....
 :-X

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Global Login System (Implementation Discussion)
« Reply #15 on: March 06, 2006, 08:35:11 PM »
* jitspoe gets the feeling that knack forgets his password a lot.

SkateR

  • Autococker
  • Posts: 1173
Re: Global Login System (Implementation Discussion)
« Reply #16 on: March 06, 2006, 09:53:47 PM »
Whoa, how'd I get mixed up with all of this? :)

I like the idea there Jitty, too many people wanna fake my famouis name :-p

Eiii

  • Autococker
  • Posts: 4595
Re: Global Login System (Implementation Discussion)
« Reply #17 on: March 06, 2006, 10:40:07 PM »
What's to prevent someone from registering a known person's name before they get to it?

jitspoe

  • Administrator
  • Autococker
  • Posts: 18802
Re: Global Login System (Implementation Discussion)
« Reply #18 on: March 06, 2006, 11:20:39 PM »
Honor and dignity?  And a trip to global ban land if they don't have such things?

KnacK

  • Global Moderator
  • Autococker
  • Posts: 3039
Re: Global Login System (Implementation Discussion)
« Reply #19 on: March 07, 2006, 08:59:26 AM »
Quote
What's to prevent someone from registering a known person's name before they get to it?

That's why IP logging should be utilised for registration and login attempts.