Ticket #2617 (closed defect: invalid)
Opened 6 years ago
Last modified 6 years ago
Secure Session Management
| Reported by: | halfhp@… | Owned by: | nick |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | 0.9.3 |
| Severity: | major | Keywords: | |
| Cc: | |||
| Release Notes: | |||
| API Changes: | |||
Description (last modified by cboos) (diff)
Game sessions need to be securely managed so that it is not possible to 'break into' other people's games:
When a player is viewing a game, it is through the HTTPGateway. He submits his actions to this gateway which then hands the actions off to the appropriate CardGame?? object to process.
The HTTPGateway requires the following pieces of information be submitted with the actions to securely handle the interaction:
-A hash that can be used to validate the user's id. -A sessionID that can be compared with the hash to verify that the user is a part of the specified session.
There may be a simpler design for this though. For example, if we require only the userID hash, we could potentially use this to look up the game that the player belongs to. This would require an object to manage active players as well as a hashtable containing keys long enough to ensure that other active hashes could be guessed.
Here is the rough flow:
1 - Player makes a move and the action is sent to the gateway. 2 - The gateway receives the action and validates it using the userID and possibly gameID hash. 3 - The player's CardGame?? is retried from the CardGameRepository?? object via the same userID hash OR a gameID. 4 - The action is passed into the CardGame?? object for processing.
Attachments
Change History
comment:1 Changed 6 years ago by cboos
- Description modified (diff)
- Milestone 1.0 deleted
- Resolution set to invalid
- Status changed from new to closed
Wrong Trac -- Play Again :)
(this is the Trac for the Trac project itself)