|
|
Posted by Adam Hubscher on 04/11/05 05:48
Synopsis: I am writing a management system for a MSSql database driven
game, and I've run into an issue. The community site is located on a
remote webserver, to protect the actual server from any possible
vulnerabilities in the community application/forum application (as we
all have seen the recent issues with phpBB and various CMS systems). The
management system grants the ability to access and modify various
properties of your in-game account.
In an attempt to provide the best way to limit the # of accounts per
person, I assumed that this could be accomplished by placing a dummy
value only used by the site itself that is the username/encoded password
for them on the community, and test if... when searched for in the
database, a result set of x is discovered, then they are unable to
create another account.
Problem: I would like to possibly utilize a login system (created on the
remote server), that would then check their username and password
against the CMS database located there, then redirect with that
information (encrypted of course), to the local site where the
information gets stored in a session. Then when they go to create a new
account, it stores the extra verfied information into the database.
However, the issue at hand here is, I'm not sure how secure it would be
if I were to say, create a secure login form, verify the data... and
then create another pseudo form that directs the person to the
local-based site using hidden post variables (this is my original
thought on the subject).
Is there another way I could go about doing this (ie, a way that I could
identify a user that is almost assuredly never going to change) or is
there a more secure way? Or, am I on the right track?
Thanks for any help!
Navigation:
[Reply to this message]
|