alberto2345 Posted December 6, 2015 Share Posted December 6, 2015 Hello, Not sure whether this is the appropriate place to ask this question, but I'm making a login system and I have an idea to allow automatic login. It would be based off the players serial number and checked with the database to see if it matches a players account details with the serial number. I'm worried about how secure that would be, more of the fact if the player can some how spoof their serial number to be of someone elses. I don't know how the serial numbers are generated and I don't know how secure they are, which is why I'm worried and wondering if anybody would know whether this is a safe decision to make, or whether it'd be best to pass on the idea? I know that it isn't easy to spoof it, but I'm wondering whether you can put alot of trust in them? Thoughts? Thanks. Link to comment
SpecT Posted December 6, 2015 Share Posted December 6, 2015 You could storage the player's login details in a xml file on their PC. And when they join check that file and if the account details are right then auto login. Link to comment
alberto2345 Posted December 6, 2015 Author Share Posted December 6, 2015 (edited) But what if someone replaces the details in the XML file with another players details? Then they could log into their account? Edited December 7, 2015 by Guest Link to comment
SpecT Posted December 6, 2015 Share Posted December 6, 2015 Well to do that they will need to have their username and password and also to use their serial. It will be a bit hard to do that BTW that's how the "Remember me" function works. Link to comment
alberto2345 Posted December 6, 2015 Author Share Posted December 6, 2015 (edited) Oh I understand what you mean now, but it is still basically the same system, its just that your idea has the extra step of checking if the username and password is in the file. So if someone was able to change the serial number to someone elses, then they would also just need to change their username and password in the file, which could be obtained by a program downloaded by the user which sends the file to a server, which a person demonstrated doing on another server I use to play on. It does require an extra bit of work for someone though. Maybe I'm just too paranoid, idk Edited December 7, 2015 by Guest Link to comment
SpecT Posted December 6, 2015 Share Posted December 6, 2015 WTF dude Who would do that just to get someone's account details. Well, if the player has rights in the server then he should be careful what he does on his PC. I don't have any more ideas. Maybe the others do have. Good luck! Link to comment
alberto2345 Posted December 6, 2015 Author Share Posted December 6, 2015 (edited) No worries dude, I think im just too paranoid. I think my idea will be fine, but still open to anybody elses suggestions. Edited December 7, 2015 by Guest Link to comment
Dealman Posted December 6, 2015 Share Posted December 6, 2015 You could indeed use their serial to generate means of achieving secure auto-login, but I believe there is a small chance for users to have the same serial number. Do note though, that the chance of this happening is extremely small(read this some while ago, it's very possible this might have changed since then). Then there's also the problem of the serial being generated as per your hardware(and IP I think?). So there's also the possibility of their serial being changed if they change some of the hardware and thus the auto-login would cease to work. You'll also want to make sure you use a salt when you store people's passwords. Preferably a salt that is randomly generated every time someone attempts to register, this way each user would have their own unique salt. Quite frankly I'm not entirely sure what would be the best approach to create auto-login within MTA in terms of security. I would guess their serial is a good place to start. Personally I would refrain from storing any kind of information regarding their username and/or password on their computer, instead try and store it all on the server. WTF dude Who would do that just to get someone's account details. Well, if the player has rights in the server then he should be careful what he does on his PC. I don't have any more ideas. Maybe the others do have. Good luck! You would be amazed by the amount of trouble some people can and will go through to get someone else's details. Also, as a programmer - you should always think ahead and assume that the user will do something wrong. Link to comment
alberto2345 Posted December 7, 2015 Author Share Posted December 7, 2015 (edited) Thanks for your input, really helpful! Edited December 7, 2015 by Guest Link to comment
MTA Team sbx320 Posted December 7, 2015 MTA Team Share Posted December 7, 2015 There have been some events of people using serial changers as well as players with the same serial. Therefore I'd suggest to avoid using the serial as an account login. My personal solution for auto-logins would be similar to the following: Upon registration ask the user to provide username and password. Store the name and the hashed password in some database. Also create a random hash and store it in the database. Also send this hash to the client and store it there together with the username. On subsequent logins the user has two options: a) Login via Username and Password b) Login via Username and random hash Link to comment
alberto2345 Posted December 8, 2015 Author Share Posted December 8, 2015 Thanks for that sbx320, sounds alot better! So am I correct in thinking that you basically generate a custom serial number for each player? Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now