Opened 18 years ago
Closed 18 years ago
#2617 closed defect (invalid)
Secure Session Management
| Reported by: | Owned by: | nick | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | 0.9.3 |
| Severity: | major | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
Game sessions need to be securely managed so that it is not possible to 'break into' other people's games:
When a player is viewing a game, it is through the HTTPGateway. He submits his actions to this gateway which then hands the actions off to the appropriate CardGame? object to process.
The HTTPGateway requires the following pieces of information be submitted with the actions to securely handle the interaction:
-A hash that can be used to validate the user's id. -A sessionID that can be compared with the hash to verify that the user is a part of the specified session.
There may be a simpler design for this though. For example, if we require only the userID hash, we could potentially use this to look up the game that the player belongs to. This would require an object to manage active players as well as a hashtable containing keys long enough to ensure that other active hashes could be guessed.
Here is the rough flow:
1 - Player makes a move and the action is sent to the gateway. 2 - The gateway receives the action and validates it using the userID and possibly gameID hash. 3 - The player's CardGame? is retried from the CardGameRepository? object via the same userID hash OR a gameID. 4 - The action is passed into the CardGame? object for processing.
Attachments (0)
Change History (1)
comment:1 by , 18 years ago
| Description: | modified (diff) |
|---|---|
| Milestone: | 1.0 |
| Resolution: | → invalid |
| Status: | new → closed |
Wrong Trac — Play Again :)
(this is the Trac for the Trac project itself)