Author Topic: how to make a login system ?  (Read 3826 times)

biyarjomandi

  • Newbie
  • *
  • Thank You
  • -Given: 4
  • -Receive: 0
  • Posts: 11
    • View Profile
how to make a login system ?
« on: July 13, 2016, 06:09:35 AM »
hi.
i am going to make a login system that stores all players login info into a dataNode file on server .
i tried to load that file in the login screen and read data to check if player entered user name and password correctly .
this process is ok .
to register new player i load the file and player enters required info and i check if it's not already exist then addchild to dataNode and parse everything then save the file again but with this process every player loads that file and save that file completely so think if players that register new user name increase then the size of the file increases more and more.
am i doing something wrong ? or is there any better way to make a login system ?

ArenMook

  • Administrator
  • Hero Member
  • *****
  • Thank You
  • -Given: 337
  • -Receive: 1171
  • Posts: 22,128
  • Toronto, Canada
    • View Profile
Re: how to make a login system ?
« Reply #1 on: July 13, 2016, 11:22:03 AM »
I wouldn't do it like this.

I suggest adding a custom packet to the server that will send an encrypted password (never send raw passwords over the network!). Inside this packet handling on the server read the encrypted password (don't decrypt it!), read a file associated with the player (for example "Players/PlayerNameOrID.login"), and match the encrypted password to the contents of the file. If the file doesn't exist, then it's a new player. If the encrypted password strings don't match, the login fails.

For the encryption itself don't use some static key as anyone that gains access to the server-side file will then be able to decrypt the passwords. You can use the password itself as the key for encryption -- encrypt the password value with the key being based on the password value itself. This way no one will be able to retrieve the original password without actually knowing the password to begin with.

biyarjomandi

  • Newbie
  • *
  • Thank You
  • -Given: 4
  • -Receive: 0
  • Posts: 11
    • View Profile
Re: how to make a login system ?
« Reply #2 on: July 18, 2016, 06:13:42 AM »
I wouldn't do it like this.

I suggest adding a custom packet to the server that will send an encrypted password (never send raw passwords over the network!). Inside this packet handling on the server read the encrypted password (don't decrypt it!), read a file associated with the player (for example "Players/PlayerNameOrID.login"), and match the encrypted password to the contents of the file. If the file doesn't exist, then it's a new player. If the encrypted password strings don't match, the login fails.

For the encryption itself don't use some static key as anyone that gains access to the server-side file will then be able to decrypt the passwords. You can use the password itself as the key for encryption -- encrypt the password value with the key being based on the password value itself. This way no one will be able to retrieve the original password without actually knowing the password to begin with.
thanks for your support .
i made my own login system and it's working good and of course i did it by encryption.
now my question is how can i check if another user already logged in with same email and password ? i set players email as TNmanager.playername cause it's unique so i need to check if this player name already exist on the server (not in specific channel) .
1- how can i check how much players has playername "1@1.com" for example ?
2- is that possible to change TNmanager.playername for connected player ?

is there any better suggestion for this purpose ?

cmifwdll

  • Global Moderator
  • Sr. Member
  • *****
  • Thank You
  • -Given: 0
  • -Receive: 149
  • Posts: 285
  • TNet Alchemist
    • View Profile
Re: how to make a login system ?
« Reply #3 on: July 18, 2016, 08:02:04 AM »
I wouldn't make players email addresses visible to other players. There could be some privacy / security concerns in doing that.

I think what you're looking for is session management. TCP already does this, so why not identify players by their socket? But, if you really want to keep track of which email addresses are currently logged in, why not keep a server-side List<string> that's added to when a user logs in (and removed from when they log out)? Very, very important that it's server-side only. I'd suggest a full security audit before releasing your game, just in case. Users like to use the same email and password on multiple services, so you've got to handle sensitive information like that with great care, even if it is just a video game ;)

devomage

  • Sr. Member
  • ****
  • Thank You
  • -Given: 7
  • -Receive: 67
  • Posts: 250
    • View Profile
Re: how to make a login system ?
« Reply #4 on: July 18, 2016, 04:42:59 PM »
This might be useful:
(never, ever decrypt a password)

https://docs.unity3d.com/ScriptReference/SystemInfo-deviceUniqueIdentifier.html

biyarjomandi

  • Newbie
  • *
  • Thank You
  • -Given: 4
  • -Receive: 0
  • Posts: 11
    • View Profile
Re: how to make a login system ?
« Reply #5 on: July 18, 2016, 10:43:34 PM »
I wouldn't make players email addresses visible to other players. There could be some privacy / security concerns in doing that.

I think what you're looking for is session management. TCP already does this, so why not identify players by their socket? But, if you really want to keep track of which email addresses are currently logged in, why not keep a server-side List<string> that's added to when a user logs in (and removed from when they log out)? Very, very important that it's server-side only. I'd suggest a full security audit before releasing your game, just in case. Users like to use the same email and password on multiple services, so you've got to handle sensitive information like that with great care, even if it is just a video game ;)
thanks for reply .
i am really care about security and i encrypted everythings that transports through network and i use encrypted version of everything even a simple health variable . i asked that as example . i wanted to use encrypted email address in my codes to make sure players wont login into game by same account at the same time.
i wanna my players can join the game from multiple device but not in the same time . can u show me an example of a server-side List<string> ?
If i could change Tnmanager.PlayerName for connected Player i can solve my problem but it doesn't change..
« Last Edit: July 18, 2016, 10:59:42 PM by biyarjomandi »

cmifwdll

  • Global Moderator
  • Sr. Member
  • *****
  • Thank You
  • -Given: 0
  • -Receive: 149
  • Posts: 285
  • TNet Alchemist
    • View Profile
Re: how to make a login system ?
« Reply #6 on: July 19, 2016, 07:16:02 AM »
Well, it's important that you're doing the encryption (and hashing!) serverside as well, and keeping it serverside. TNManager doesn't exist on the server so I'm a little concerned.

Anyway, you could add a string emailAddress to the TNPlayer.cs file (on the server). Then in TNGameServer.cs where you should be handling the registration / login you could just set that property on the player. Now wherever you want to check if an email is in use, you can just iterate over mPlayers and compare the emailAddress property. If you find a match then that email address is logged in elsewhere. If not, then you're good to go. mPlayers contains every player connected to the server, including those in other channels.

Again, this all exists strictly on the server. I wouldn't be storing encrypted passwords, either, btw. Hash the password clientside, encrypt the payload, send to server. Server decrypts the payload, then generates a random salt, hashes the hash with the salt, stores the hashed hash w/ the random salt. Use a secure encryption method (AES), and a secure hashing method (md5, sha256). Generating the salt should be using a random seed as well, and the hash should be hashed multiple times serverside before being stored (just in case).