Jump to content

Security question

freeloader

By freeloader
in PHP Coding Help

 Share

Recommended Posts

freeloader Member

freeloader

Posted
Posted

No sure if this is the right section, but here we go.

 

I'm developing a game site and I expect quite a bit of cheaters to find their way to the site. I thought up some methods of detecting cheaters, but I'm not sure what would be the best way to implement them.

 

IP lookup

Of course, I will start with the basic IP lookup, but instead of storing only the latest IP one uses, I want to store every ip they ever used on the site and then cross-reference it and see if it was used on another account. What would be the best way to store it? A different user table with 3 columns: username, ip, logdate. Or 2 extra columns to the members table: ip, logdate? Ip being a longtext place in the members table where I keep adding IP's. I'm afraid the first method will take up too much place and slow down the rest of the mysql DB after a year or so, though it probably is the easiest way to search the table for doubles.

 

Flash cookies

What most people forget when trying to cheat is flash cookies (Local Shared Objects). They're pretty hard to remove and to find if you don't know how. Also, bots will not pick them up so if you see a user with no flash cookie inserted, you can flag them as a potential cheater and later find out by login times whether or not it was a bot or a real user with flash disabled. I was thinking of storing a unique id in a flash variable and storing it in the database. Whenever a user signs on with a different account, the unique id gets added to it and I can do an easy user lookup afterwards. My question is: is it possible to read (and possibly write?) flash cookies with php and how do I go about that?

 

Flagging users: on the spot or afterwards?

I'm not sure what to do here either. Do I check to see if an account is a cheater when they log in (ip lookup, flash cookie comparison, update db field and flag as a cheater on the spot) or do I run scripts for that afterwards?

 

Thanks for answering my questions in advance and if you know of any other way to find out double accounts, let me know :)

Link to comment
Share on other sites
revraz Member

revraz

Posted
Posted

For the IP issue, you def want a new table, just store the UserID, IP and Date then you can join the table with your users using the UserID when you need to query it.  But in my opinion, it won't have any value.  What if two players are in the same dorm or work location that report the same external IP?

Link to comment
Share on other sites
freeloader Member

freeloader

Posted
  • Author
Posted

It's mostly to assure advertisers not too many ads are being loaded through bots and multiple users. We don't want to lose money because of that :)

 

As for a few IPs on the same pc, we can live with that and if we have some spare time we'll just compare logdates (or let a script do it), 2 people in the same dorm won't always login right after each other right? Multi accounters probably will login with more similar login times.

Link to comment
Share on other sites
revraz Member

revraz

Posted
Posted

That's always a tough choice to make on the Dev side, because whatever you do, you limit what can be done by ligit players in the same house.  What if I want to play with my Son at the same time?  Or someone with their roommate..etc.

Link to comment
Share on other sites
nloding Member

nloding

Posted
Posted

When Battlefield 2142 came out, EA Games prevented multiple connections from the same IP.  This hurt in the long run, as gaming centers and LAN parties couldn't play.  Be wary of doing that.

 

Flag numerous logins from the same IP, and if it gets to a certain amount, send an email asking for proof of membership for all the ID's.  What that proof is, I don't know.  Then you'd need another table of flagged IP's and whether they are legit or not.

 

No matter what you do, you will block legitimate users from the site, but these days security almost calls for that.  Just work extremely diligently to make the numbers who get blocked (or blocked temporarily) as few as you can.

Link to comment
Share on other sites
freeloader Member

freeloader

Posted
  • Author
Posted

Should I make a new entry in the DB for every page? Because if I do a DB insert on the login page, there are 2 problems:

 

1) they may still be logged in from previous session and pass the login page

2) they might login with one ip, change/proxy it and go to the next page

 

Are there other solutions?

Link to comment
Share on other sites
freeloader Member

freeloader

Posted
  • Author
Posted

I have some additional questions concerning session security.

 

At the moment this is my login processor:

<?php
session_start();
include "config.php";

// check login and pass in db

//set cookie for 90 days
setcookie("usNick",$nicke,time()+7776000);
setcookie("usPass",$passe,time()+7776000);

 

Where config.php is included on every page and says:

if($_COOKIE["usNick"] and $_COOKIE["usPass"])
{
$q = mysql_query("SELECT * FROM tb_users WHERE username='".mysql_real_escape_string($_COOKIE['usNick'])."' AND password='".mysql_real_escape_string($_COOKIE['usPass'])."'") or die(mysql_error());
if(mysql_num_rows($q) == 0)
{
	$_COOKIE['usNick'] = false;
	$_COOKIE['usPass'] = false;
} else {
	$loggedin = 1;
	$r = mysql_fetch_array($q);
}
}

 

Access to the admin panel is set this way:

if(!isset($_COOKIE["usNick"]) && !isset($_COOKIE["usPass"]))
{
	exit();
}

if($r["account"]!="admin")
{
	header("location:index.php");
	exit();
}

// admin panel

 

I would like to transform this to a secure sessions system, but what is the most secure way to go about that in php?

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

It's mostly to assure advertisers not too many ads are being loaded through bots and multiple users. We don't want to lose money because of that :)

 

As for a few IPs on the same pc, we can live with that and if we have some spare time we'll just compare logdates (or let a script do it), 2 people in the same dorm won't always login right after each other right? Multi accounters probably will login with more similar login times.

 

I think you misunderstand the issue.  The issue is NAT where you could have hundreds or even thousands of users with the same IP (remember AOL?).  Ok, it's an overstated concern, but it's not a matter of reuse of IP's, but rather that NAT allows the same IP to be used simultaneously by multiple users *at the same time*.

Link to comment
Share on other sites
freeloader Member

freeloader

Posted
  • Author
Posted

I know some ISPs do that and I understand some users would be suspended without fair cause. However, the probability of that is low and if this would be the case, we can still check up on the IP and see which ISP distributed it.

 

Can someone focus on the security concerns I posted in regards to sessions?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.