basic login server example?
by Jeff Yaskus · in Torque 3D Professional · 09/16/2012 (11:03 am) · 10 replies
I'm looking for an example of a basic login system to add into T3D ... so I can track how much each user plays the game, etc.
The idea was to have a central server on the web, that authenticates users and tracks usage.
Do I need a dedicated server ? or can it be also be done using cloud resources?
what needs to be done for security ?
If anyone has done this before -- can you share any examples relating to T3D, or even just the over-all design theory?
Thanks!
The idea was to have a central server on the web, that authenticates users and tracks usage.
Do I need a dedicated server ? or can it be also be done using cloud resources?
what needs to be done for security ?
If anyone has done this before -- can you share any examples relating to T3D, or even just the over-all design theory?
Thanks!
About the author
Long time gamer, hacker and programmer. With dreams of making video games -
#2
I have done login/communication with a web server with Python so I cannot really relay wisdom from the T3D perspective. I have used ssh connections and http php connections. Unless you have an https server security will always be an issue.
Really what you are doing from the http/php side is acting like a web client in software only. If you understand how a website with a user login works you should be able to translate that to code interaction. For stuff I have worked with I will actually create a php page like login.php somewhere on the website. That will provide challenge response data to allow a program to login. I even will filter this connection by requiring a specific User Agent (browser id string) or it will return the client to a main page. This is not security, but it thwarts casual perusers. One thing to remember is a program does not need all the text a normal website spits out. You can just send string back and forth. With something like code igniter you can implement sessions easily and even time out users. If you want continuous communication then setup some sort of timer to show the client is active. Also check the IP address to make sure it is the same user. This is where sessions come in handy. You can track the client during the connection. You may want to read up on hack proofing this connection. I am sure there are lots of articles on this. I bet a lot of the solutions use https to help with this.
Like I mentioned security will be an issue so just assume that it is insecure unless you are using https. One thing you may look into is oauth. I have used this with php and it will help with authentication and might alleviate the https requirement for a secure connection. I know google and facebook use this. This would require significant more work in T3D to use however. It basically leverages someone elses https server to accomplish your own login.
To be frank, this is one of the reasons I created the Python resource. It is because stuff like this is already solved in a library somewhere. I didn't want to reinvent the wheel every time I needed a feature.
09/16/2012 (2:17 pm)
For the T3D side look at the tcpobject and httpobject. I have done login/communication with a web server with Python so I cannot really relay wisdom from the T3D perspective. I have used ssh connections and http php connections. Unless you have an https server security will always be an issue.
Really what you are doing from the http/php side is acting like a web client in software only. If you understand how a website with a user login works you should be able to translate that to code interaction. For stuff I have worked with I will actually create a php page like login.php somewhere on the website. That will provide challenge response data to allow a program to login. I even will filter this connection by requiring a specific User Agent (browser id string) or it will return the client to a main page. This is not security, but it thwarts casual perusers. One thing to remember is a program does not need all the text a normal website spits out. You can just send string back and forth. With something like code igniter you can implement sessions easily and even time out users. If you want continuous communication then setup some sort of timer to show the client is active. Also check the IP address to make sure it is the same user. This is where sessions come in handy. You can track the client during the connection. You may want to read up on hack proofing this connection. I am sure there are lots of articles on this. I bet a lot of the solutions use https to help with this.
Like I mentioned security will be an issue so just assume that it is insecure unless you are using https. One thing you may look into is oauth. I have used this with php and it will help with authentication and might alleviate the https requirement for a secure connection. I know google and facebook use this. This would require significant more work in T3D to use however. It basically leverages someone elses https server to accomplish your own login.
To be frank, this is one of the reasons I created the Python resource. It is because stuff like this is already solved in a library somewhere. I didn't want to reinvent the wheel every time I needed a feature.
#3
Frank's reasons to use Python are the same as some people's reasons to use C++ ;)
If you set up your own TLS certificate and webserver with secure HTTP you have some of the security done already. Buying a proper cert may be helpful if you want the client to get third party verification that the server is what it claims to be, but there are mixed opinions on the usefulness of that. A hacked client would ignore verifications or replace any embedded certificate authority info, for example.
Another way to set up a server is to make a non-web service (to avoid the sluggishness[1] of a script language running in a webserver). You'd make a separate server for stat tracking via some ultra-efficient protocol with just some IDs, sizes and raw data, all secured over SSL with the aforementioned TLS certificate. For advanced admins, but probably best if you want it to scale well :)
(Suggested languages and tools: C++ with POCO, Google's Go, Java with just Jetty/Tomcat.)
What do you need the server to do? Will you also be using it as a patch server? What scale are you looking at? Will you be handling something small like 32 players per server and instancing new ones wherever, or having a global authentication point? Everything but the patching benefits from a common database in any case.
Implementing some form of Torque client to Torque server authentication and letting the server talk to the DB might be most efficient if it needs to be big. Native code + SQL scales better than one web server+PHP+MySQL chokepoint. It's fine to have less frequently used services running like that, though. Account management isn't constantly used by every player.
On the client side you could also start easy: Make script functions to set server address, port, username and password, and log on. Make the first version talk to a web script. If speed becomes an issue, replacing these functions shouldn't require changes in scripts. Just make a good API, basically.
[1]A server which handles 10 users per second via PHP, Python or similar may handle hundreds or thousands in Java or C#. Some major Java server frameworks for gaming handle hundreds of thousands of users concurrently on not very expensive Xeon systems. PHP struggles, both due to memory per connection and slowness of the implementation. Certain PHP systems requiring 128MB per user drains RAM before CPU.
09/17/2012 (12:13 am)
Cloud services are just multiple dedicated services, so instead of one server being down when somebody destroys a router, ALL servers are down :)Frank's reasons to use Python are the same as some people's reasons to use C++ ;)
If you set up your own TLS certificate and webserver with secure HTTP you have some of the security done already. Buying a proper cert may be helpful if you want the client to get third party verification that the server is what it claims to be, but there are mixed opinions on the usefulness of that. A hacked client would ignore verifications or replace any embedded certificate authority info, for example.
Another way to set up a server is to make a non-web service (to avoid the sluggishness[1] of a script language running in a webserver). You'd make a separate server for stat tracking via some ultra-efficient protocol with just some IDs, sizes and raw data, all secured over SSL with the aforementioned TLS certificate. For advanced admins, but probably best if you want it to scale well :)
(Suggested languages and tools: C++ with POCO, Google's Go, Java with just Jetty/Tomcat.)
What do you need the server to do? Will you also be using it as a patch server? What scale are you looking at? Will you be handling something small like 32 players per server and instancing new ones wherever, or having a global authentication point? Everything but the patching benefits from a common database in any case.
Implementing some form of Torque client to Torque server authentication and letting the server talk to the DB might be most efficient if it needs to be big. Native code + SQL scales better than one web server+PHP+MySQL chokepoint. It's fine to have less frequently used services running like that, though. Account management isn't constantly used by every player.
On the client side you could also start easy: Make script functions to set server address, port, username and password, and log on. Make the first version talk to a web script. If speed becomes an issue, replacing these functions shouldn't require changes in scripts. Just make a good API, basically.
[1]A server which handles 10 users per second via PHP, Python or similar may handle hundreds or thousands in Java or C#. Some major Java server frameworks for gaming handle hundreds of thousands of users concurrently on not very expensive Xeon systems. PHP struggles, both due to memory per connection and slowness of the implementation. Certain PHP systems requiring 128MB per user drains RAM before CPU.
#4
Very true, however, there is still integration issue with Torque or any other C++ code base. With Python I usually have a "pythonic" API and don't have to know a whole lot about the library. I also don't have as many memory leak gotchas. Now, since I have been introduced to the Boost library I have now seen what decently written libraries could be like. That is one of the best written libraries I have seen to date. I easily created a threading program that was simple and reliable. At the end of the day I am still more productive in Python even though I had formal education in C++.
09/17/2012 (5:54 pm)
Quote:Frank's reasons to use Python are the same as some people's reasons to use C++ ;)
Very true, however, there is still integration issue with Torque or any other C++ code base. With Python I usually have a "pythonic" API and don't have to know a whole lot about the library. I also don't have as many memory leak gotchas. Now, since I have been introduced to the Boost library I have now seen what decently written libraries could be like. That is one of the best written libraries I have seen to date. I easily created a threading program that was simple and reliable. At the end of the day I am still more productive in Python even though I had formal education in C++.
#5
09/18/2012 (2:31 am)
There are several Resources that offer varying solutions for such a thing. Any of which can make for a decent learning example.
#6
My goal was initially to have clients authenticate versus a remote hosted server ... to verify they had a valid account ... and to track how much time they spent playing the game as well.
So based on what you both said - I could do that using C++ or Python to handle HTTP calls on client side and using perl/PhP scripts to query a database on a server.
A basic LAMP setup, right? Linux + Apache + mySql + php ... supported dozens of them from UNIX OS level before, just never had the need to set one up for my own needs until now. (I'm UNIX SA by day)
That handles the login part and possibly tracking usage of the client ... but your comments got me to thinking of the other concerns as well.
I'm not expecting hundreds or thousands of users trying to login at once or to stay online for long periods of time like an MMO or such ...
Each client just needs to login when they start the session and somehow send an update when they close the app -- to keep track of their usage in a somewhat accurate manner.
Since they could just close the client by force and mess up the metrics, was thinking of defaulting to track it in say 5m increments and code the client to push an updated "i am still here" every 5m.
Then, if the server doesn't see an update after 5m, the can "close" the users session and stop charging them time for usage.
I'm sure there are better methods, just getting started here.
Like I hear all the time at work, "there are likely thousands of ways to do it and hundreds that would work but likely only a dozen or so which are optimal for your given situation."
Michael@ Sorry for my ignorance but I couldn't find any using the search engine for "basic login server" ... If you found some, please share the URLs or search strings used - would be greatly appreciated
09/18/2012 (3:11 pm)
Ronny & Frank@ Thanks for the advice, that's exactly what I was looking for; an idea of the processes involved and how others did it.My goal was initially to have clients authenticate versus a remote hosted server ... to verify they had a valid account ... and to track how much time they spent playing the game as well.
So based on what you both said - I could do that using C++ or Python to handle HTTP calls on client side and using perl/PhP scripts to query a database on a server.
A basic LAMP setup, right? Linux + Apache + mySql + php ... supported dozens of them from UNIX OS level before, just never had the need to set one up for my own needs until now. (I'm UNIX SA by day)
That handles the login part and possibly tracking usage of the client ... but your comments got me to thinking of the other concerns as well.
I'm not expecting hundreds or thousands of users trying to login at once or to stay online for long periods of time like an MMO or such ...
Each client just needs to login when they start the session and somehow send an update when they close the app -- to keep track of their usage in a somewhat accurate manner.
Since they could just close the client by force and mess up the metrics, was thinking of defaulting to track it in say 5m increments and code the client to push an updated "i am still here" every 5m.
Then, if the server doesn't see an update after 5m, the can "close" the users session and stop charging them time for usage.
I'm sure there are better methods, just getting started here.
Like I hear all the time at work, "there are likely thousands of ways to do it and hundreds that would work but likely only a dozen or so which are optimal for your given situation."
Michael@ Sorry for my ignorance but I couldn't find any using the search engine for "basic login server" ... If you found some, please share the URLs or search strings used - would be greatly appreciated
#7
Personally i would advise against an "always online" DRM, because it only takes a hicup somewhere down the line between the customer and the server to seriously piss them off.
09/18/2012 (6:22 pm)
For the SSL side of things, you can get free SSL certificates from StartSSL.com, revocations do cost money however.Personally i would advise against an "always online" DRM, because it only takes a hicup somewhere down the line between the customer and the server to seriously piss them off.
#8
09/19/2012 (4:47 am)
Free certificates are no better than rolling your own. Most, if not all, of those services aren't recognised by the common browsers. Might as well just learn the commands to make your own, if you don't already do (which any sysadmin should).
#9
StartSSL is recognised by all the major browsers as a trusted certificate autority.
They ask you to prove that you do own the domain name before creating the SSL certificate using email validation sent to root@yourdomain.com
Rolling your own certificates has it's advantages as long as the client only accept this certificate's fingerprint.
09/19/2012 (9:57 am)
@Ronny Bangsund, i respectfully disagree.StartSSL is recognised by all the major browsers as a trusted certificate autority.
They ask you to prove that you do own the domain name before creating the SSL certificate using email validation sent to root@yourdomain.com
Rolling your own certificates has it's advantages as long as the client only accept this certificate's fingerprint.
#10
I know GoDaddy has certs for $13. They take care of the https and everything for the account even on a shared server. To me that would help take the headache out of maintaining a server for a small client load.
09/19/2012 (10:40 am)
If you are creating the web client in code (not using a browser) inside your game then using your certificate will be invisible to the user. I think having a certificate from a CA would be a good idea though. It gives your website some professionalism and allows non-warning usage in browsers. So there are pluses and minuses to self cert.I know GoDaddy has certs for $13. They take care of the https and everything for the account even on a shared server. To me that would help take the headache out of maintaining a server for a small client load.
Torque Owner Lukas Joergensen
WinterLeaf Entertainment