TM-FORUM

The TrackMania universal forum ^_^
It is currently Tue Sep 23, 2014 7:21 am

All times are UTC + 2 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: How to prevent from faking $p links?
PostPosted: Sun Oct 17, 2010 10:20 pm 
Offline
cyclist
cyclist

Joined: Sat Mar 29, 2008 6:54 pm
Posts: 42
Location: Poland
Owned TM-games: TM United Forever
Manialink(s): sebik
Hey guys :)
I manage my manialink "SebikStore" on which I sell tracks.

Right now the players are getting logged via their own login. Then rest of operations like getting info from SQL base and php scripting role on given login (simply: user has own account).

The main problem is the login can be easy fabricated by entering in URL of manialink another login. At this moment it is secured with the need of entering password. This solution is more stable, but also requires whole system of registration and log-in screen.

I would be delighted if there existed any secure option of giving "addplayerid". Players would save the time and whole system could be more simple. I've noticed that for example on ManiaHome I don't need to log in, and what's more I didn't know how to decept the system and enter another login.

For any assistance thanks in advance.
Sebik

_________________
Click to download my last stadium track "[RPG] Four Powers" (Awards for all tracks: ~400)


Top
 Profile  
 
 Post subject: Re: How to prevent from faking $p links?
PostPosted: Tue Oct 19, 2010 9:50 pm 
Offline
highway camper
highway camper
User avatar

Joined: Fri Dec 28, 2007 9:11 pm
Posts: 4
Owned TM-games: TMNF, TMUF
something ive found to work well is to use POST to send a variable to the next page when the button is clicked. if someone tries to modify the url and refresh the page, there wont be any variable posted, so u can deny access based on that. It doesnt matter what the variable contains as long as its not empty.


Top
 Profile  
 
 Post subject: Re: How to prevent from faking $p links?
PostPosted: Wed Oct 20, 2010 3:49 pm 
Offline
pedestrian
pedestrian
User avatar

Joined: Mon Sep 07, 2009 2:06 pm
Posts: 14
Location: Poland
Owned TM-games: TMO, TMSX, TMUF
Manialink(s): rhino
@thedarkness, this can also be faked. Not so easily, but an experienced user will be able to do that.


Top
 Profile  
 
 Post subject: Re: How to prevent from faking $p links?
PostPosted: Wed Oct 20, 2010 4:58 pm 
Offline
cyclist
cyclist

Joined: Sat Mar 29, 2008 6:54 pm
Posts: 42
Location: Poland
Owned TM-games: TM United Forever
Manialink(s): sebik
It needs to be fully secured. I can use it, but to not vital procedures (but validating eg. purchase of a track cannot be faked).

_________________
Click to download my last stadium track "[RPG] Four Powers" (Awards for all tracks: ~400)


Top
 Profile  
 
 Post subject: Re: How to prevent from faking $p links?
PostPosted: Wed Oct 20, 2010 5:46 pm 
Offline
Pit Crew
Pit Crew
User avatar

Joined: Mon Sep 05, 2005 8:51 pm
Posts: 2124
Location: TraxicoLand (Fr)
Owned TM-games: ALL
There is no way to fully secure.

A way to help a little is using cookie : you set a session-like cookie value that you check on manialink server side. So when the cookie is not set/valid you make a real auth, and on further visits you use the cookie to auth, and just give a connect button to check it against the addplayerid values (because you will get the same cookie if the same computer/game use another TM account). You can check the cookie/addplayerid values each time to make the faking addplayerid more complicated.

Note that the TMF cookies are shared with IE ones.

You can also check that $_SERVER['HTTP_USER_AGENT'] is 'GameBox', if not then you are sure that it's not the game but a browser or other (but still, no way to be fully sure that it's the game)...


Top
 Profile  
 
 Post subject: Re: How to prevent from faking $p links?
PostPosted: Wed Oct 20, 2010 11:54 pm 
Offline
pedestrian
pedestrian
User avatar

Joined: Mon Sep 07, 2009 2:06 pm
Posts: 14
Location: Poland
Owned TM-games: TMO, TMSX, TMUF
Manialink(s): rhino
Using cookies also isn't a good way IMO. The best way is to create a registration & login system...


Top
 Profile  
 
 Post subject: Re: How to prevent from faking $p links?
PostPosted: Thu Oct 21, 2010 1:00 am 
Offline
Pit Crew
Pit Crew
User avatar

Joined: Mon Sep 05, 2005 8:51 pm
Posts: 2124
Location: TraxicoLand (Fr)
Owned TM-games: ALL
rhino wrote:
Using cookies also isn't a good way IMO. The best way is to create a registration & login system...

It was what i meant with "make a real auth" (in the case the session-cookie is not set or valid)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group