How to prevent from faking $p links?

If you have anything to say - or advice to give - on the creation or publishing of ManiaLinks, here is the place to do it!

Moderator: TM-Patrol

Post Reply
sebik1992
cyclist
cyclist
Posts: 42
Joined: 29 Mar 2008 15:54
Owned TM-games: TM United Forever
Manialink(s): sebik
Location: Poland
Contact:

How to prevent from faking $p links?

Post by sebik1992 » 17 Oct 2010 19:20

Hey guys :)
I manage my manialink "SebikStore" on which I sell tracks.

Right now the players are getting logged via their own login. Then rest of operations like getting info from SQL base and php scripting role on given login (simply: user has own account).

The main problem is the login can be easy fabricated by entering in URL of manialink another login. At this moment it is secured with the need of entering password. This solution is more stable, but also requires whole system of registration and log-in screen.

I would be delighted if there existed any secure option of giving "addplayerid". Players would save the time and whole system could be more simple. I've noticed that for example on ManiaHome I don't need to log in, and what's more I didn't know how to decept the system and enter another login.

For any assistance thanks in advance.
Sebik

User avatar
thedarkness
highway camper
highway camper
Posts: 4
Joined: 28 Dec 2007 18:11
Owned TM-games: TMNF, TMUF

Re: How to prevent from faking $p links?

Post by thedarkness » 19 Oct 2010 18:50

something ive found to work well is to use POST to send a variable to the next page when the button is clicked. if someone tries to modify the url and refresh the page, there wont be any variable posted, so u can deny access based on that. It doesnt matter what the variable contains as long as its not empty.

User avatar
rhino
pedestrian
pedestrian
Posts: 14
Joined: 07 Sep 2009 11:06
Owned TM-games: TMO, TMSX, TMUF
Location: Poland

Re: How to prevent from faking $p links?

Post by rhino » 20 Oct 2010 12:49

@thedarkness, this can also be faked. Not so easily, but an experienced user will be able to do that.

sebik1992
cyclist
cyclist
Posts: 42
Joined: 29 Mar 2008 15:54
Owned TM-games: TM United Forever
Manialink(s): sebik
Location: Poland
Contact:

Re: How to prevent from faking $p links?

Post by sebik1992 » 20 Oct 2010 13:58

It needs to be fully secured. I can use it, but to not vital procedures (but validating eg. purchase of a track cannot be faked).

User avatar
Slig
Pit Crew
Pit Crew
Posts: 2124
Joined: 05 Sep 2005 17:51
Owned TM-games: ALL
Location: TraxicoLand (Fr)
Contact:

Re: How to prevent from faking $p links?

Post by Slig » 20 Oct 2010 14:46

There is no way to fully secure.

A way to help a little is using cookie : you set a session-like cookie value that you check on manialink server side. So when the cookie is not set/valid you make a real auth, and on further visits you use the cookie to auth, and just give a connect button to check it against the addplayerid values (because you will get the same cookie if the same computer/game use another TM account). You can check the cookie/addplayerid values each time to make the faking addplayerid more complicated.

Note that the TMF cookies are shared with IE ones.

You can also check that $_SERVER['HTTP_USER_AGENT'] is 'GameBox', if not then you are sure that it's not the game but a browser or other (but still, no way to be fully sure that it's the game)...

User avatar
rhino
pedestrian
pedestrian
Posts: 14
Joined: 07 Sep 2009 11:06
Owned TM-games: TMO, TMSX, TMUF
Location: Poland

Re: How to prevent from faking $p links?

Post by rhino » 20 Oct 2010 20:54

Using cookies also isn't a good way IMO. The best way is to create a registration & login system...

User avatar
Slig
Pit Crew
Pit Crew
Posts: 2124
Joined: 05 Sep 2005 17:51
Owned TM-games: ALL
Location: TraxicoLand (Fr)
Contact:

Re: How to prevent from faking $p links?

Post by Slig » 20 Oct 2010 22:00

rhino wrote:Using cookies also isn't a good way IMO. The best way is to create a registration & login system...
It was what i meant with "make a real auth" (in the case the session-cookie is not set or valid)

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests