Comments on: Building Browsergames: forcing users to log in (PHP) http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/ Ever wanted to build a browsergame? Wed, 10 Mar 2010 20:26:23 +0000 http://wordpress.org/?v=2.8.5 hourly 1 By: kic http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/comment-page-1/#comment-747 kic Wed, 10 Mar 2010 20:26:23 +0000 http://buildingbrowsergames.com/?p=71#comment-747 What about storing user's IP in the session variable when they log in additionally and check whether it matches current IP on every login check? Wouldn't it make the whole process a bit safer? What about storing user's IP in the session variable when they log in additionally and check whether it matches current IP on every login check? Wouldn't it make the whole process a bit safer?

]]> By: MrLollige http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/comment-page-1/#comment-612 MrLollige Sat, 14 Mar 2009 23:10:07 +0000 http://buildingbrowsergames.com/?p=71#comment-612 I expected sessions were just a form of standard cookies. But it seems they are not, and secure as you said :)<br>Thanks for sharing this information! I expected sessions were just a form of standard cookies. But it seems they are not, and secure as you said :)
Thanks for sharing this information!

]]> By: MrLollige http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/comment-page-1/#comment-611 MrLollige Sat, 14 Mar 2009 23:03:12 +0000 http://buildingbrowsergames.com/?p=71#comment-611 Ill do some research on phps sessions function, that will get me more information :D<br>Thanks again for your reply!<br><br>(Still even an encrypted cookie is copyable. If you see a computer where someone is logged in, you could copy the cookie and use it yourself forever. But I am not planning on working with session IDs -_-) Ill do some research on phps sessions function, that will get me more information :D
Thanks again for your reply!

(Still even an encrypted cookie is copyable. If you see a computer where someone is logged in, you could copy the cookie and use it yourself forever. But I am not planning on working with session IDs -_-)

]]> By: Luke http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/comment-page-1/#comment-610 Luke Sat, 14 Mar 2009 22:06:18 +0000 http://buildingbrowsergames.com/?p=71#comment-610 Realistically, any authentication system you build is unsecure - but PHP's<br>sessions are 'safe enough'. As far as I'm aware(although I'm sure someone<br>will correct me if I'm wrong), sessions are stored in an encrypted format in<br>the cookie - which makes it a little harder for an attacker to just create a<br>cookie with your username inside it.<br>Storing the ID does seem like a better way to do it, if you're going to need<br>the ID very often - it's definitely faster to retrieve something from a<br>cookie than the database. Realistically, any authentication system you build is unsecure – but PHP's
sessions are 'safe enough'. As far as I'm aware(although I'm sure someone
will correct me if I'm wrong), sessions are stored in an encrypted format in
the cookie – which makes it a little harder for an attacker to just create a
cookie with your username inside it.
Storing the ID does seem like a better way to do it, if you're going to need
the ID very often – it's definitely faster to retrieve something from a
cookie than the database.

]]> By: MrLollige http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/comment-page-1/#comment-370 MrLollige Sat, 14 Mar 2009 18:10:07 +0000 http://buildingbrowsergames.com/?p=71#comment-370 I expected sessions were just a form of standard cookies. But it seems they are not, and secure as you said :)<br>Thanks for sharing this information! I expected sessions were just a form of standard cookies. But it seems they are not, and secure as you said :)
Thanks for sharing this information!

]]> By: MrLollige http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/comment-page-1/#comment-367 MrLollige Sat, 14 Mar 2009 18:03:12 +0000 http://buildingbrowsergames.com/?p=71#comment-367 Ill do some research on phps sessions function, that will get me more information :D<br>Thanks again for your reply!<br><br>(Still even an encrypted cookie is copyable. If you see a computer where someone is logged in, you could copy the cookie and use it yourself forever. But I am not planning on working with session IDs -_-) Ill do some research on phps sessions function, that will get me more information :D
Thanks again for your reply!

(Still even an encrypted cookie is copyable. If you see a computer where someone is logged in, you could copy the cookie and use it yourself forever. But I am not planning on working with session IDs -_-)

]]> By: Luke http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/comment-page-1/#comment-363 Luke Sat, 14 Mar 2009 17:06:18 +0000 http://buildingbrowsergames.com/?p=71#comment-363 Realistically, any authentication system you build is unsecure - but PHP's<br>sessions are 'safe enough'. As far as I'm aware(although I'm sure someone<br>will correct me if I'm wrong), sessions are stored in an encrypted format in<br>the cookie - which makes it a little harder for an attacker to just create a<br>cookie with your username inside it.<br>Storing the ID does seem like a better way to do it, if you're going to need<br>the ID very often - it's definitely faster to retrieve something from a<br>cookie than the database. Realistically, any authentication system you build is unsecure – but PHP's
sessions are 'safe enough'. As far as I'm aware(although I'm sure someone
will correct me if I'm wrong), sessions are stored in an encrypted format in
the cookie – which makes it a little harder for an attacker to just create a
cookie with your username inside it.
Storing the ID does seem like a better way to do it, if you're going to need
the ID very often – it's definitely faster to retrieve something from a
cookie than the database.

]]> By: MrLollige http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/comment-page-1/#comment-358 MrLollige Sat, 14 Mar 2009 10:17:29 +0000 http://buildingbrowsergames.com/?p=71#comment-358 I just realized: Isn't this very unsercure? If I create a cookie myself that has your username in it, I am automatically logged in on your account right?<br><br>And why do this instead of just checking if there still is a cookie? I do not need to know the user ID anyway.<br>Also, in my version of the game I am making with your tutorial, I stored the ID in the cookie too, because you really need it often. Or is retrieving data from the database faster/better than retrieving data from a cookie?<br><br>Please explain what and why you did this :) I just realized: Isn't this very unsercure? If I create a cookie myself that has your username in it, I am automatically logged in on your account right?

And why do this instead of just checking if there still is a cookie? I do not need to know the user ID anyway.
Also, in my version of the game I am making with your tutorial, I stored the ID in the cookie too, because you really need it often. Or is retrieving data from the database faster/better than retrieving data from a cookie?

Please explain what and why you did this :)

]]>