HTTP_USER_AGENT
by Robert Brower · in Torque Game Engine · 11/09/2002 (9:12 am) · 5 replies
I want to add persistence to my game using HTTP object in various places within the script and web server using PHP and perhaps an SQL database.
I have a lot of security, cheating, and hacking concerns and I hope to address them all in the course of my design.
One of them in particular is this. HTTP_USER_AGENT is an empty string when a player access the web server. It's Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) when I just use IE to access the URL.
My thought was that I could use HTTP_USER_AGENT to determine if the web server access was valid, i.e. from a player of my game and not some Joe with his browser.
I also realize that this is but one of the many possible scenarios someone would use to corrupt the central database and I'd appreciate some more discussion on flaws in this approach as well as other possible bad issues with it.
Thanks!!!
I have a lot of security, cheating, and hacking concerns and I hope to address them all in the course of my design.
One of them in particular is this. HTTP_USER_AGENT is an empty string when a player access the web server. It's Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) when I just use IE to access the URL.
My thought was that I could use HTTP_USER_AGENT to determine if the web server access was valid, i.e. from a player of my game and not some Joe with his browser.
I also realize that this is but one of the many possible scenarios someone would use to corrupt the central database and I'd appreciate some more discussion on flaws in this approach as well as other possible bad issues with it.
Thanks!!!
#2
11/09/2002 (10:45 am)
Thanks for that info. I am learning more and more about this as I research.
#3
11/09/2002 (8:20 pm)
the only way to secure a connection over HTTP is either thru SSL or directly encoding/encrypting the information payload in the get/post request.
#4
11/09/2002 (9:37 pm)
So is there a way to set the user agent somehow in torque so its not emtpy string? 
#5
I know that Torque doesn't come with any MD5 hashing code or functions so that will have to be manually implmented which shouldn't be that hard, but then attemping to do so might not make it cross-platform compatiable(the MD5 hashing code). Then again you never know until you try it. :D
11/09/2002 (10:33 pm)
Here is what I would do. Use MD5 hashed strings as like a key validation system. Like the game it's self has a hardcoded serial string that it can add to whatever random crap the web server sends to the game to reply back with in MD5-hashed form. That way the web server just has to remember what was the last MD5 random crap it sent back to the game and do a match-up. I guess it would be better if I were to maybe create a resource article about it later on GarageGames. :)I know that Torque doesn't come with any MD5 hashing code or functions so that will have to be manually implmented which shouldn't be that hard, but then attemping to do so might not make it cross-platform compatiable(the MD5 hashing code). Then again you never know until you try it. :D
Associate James Lupiani
Sickhead Games