[Haskell-cafe] ANN: Nomyx 0.1 beta, the game where you can change the rules
Joe Quinn
headprogrammingczar at gmail.com
Fri Mar 1 13:38:26 CET 2013
On 2/28/2013 11:17 PM, Chris Wong wrote:
> On Wed, Feb 27, 2013 at 8:37 AM, Corentin Dupont<corentin.dupont at gmail.com>
> >wrote:
>> >>Hi Chris,
>> >>Thanks!
>> >>That's true for the user number. What should I do? Encrypt it?
> >
> >It's not that you have a user number, or even that it's accessible: it's
> >that it's the entirety of access control, meaning that if the user changes
> >it they can masquerade as another user. The correct solution is that a user
> >should authenticate, which creates a session hash that you stash away and
> >also send back to the user as a cookie so the browser will present it on
> >accesses. Then you check that the presented hash is there and matches the
> >session hash. These should expire periodically, requiring the user to log
> >back in again.
Additionally, you can change the session hash with every page hit, to
some other totally random hash. If someone steals your session, they had
better act on it immediately, lest you visit another page and it changes
completely. If your session gets hijacked, you get logged out. When you
log in again the attacker loses access.
You can also check sessions by the hash and IP address. That has
usability concerns though. Even if players never switch machines in the
middle of a game, suppose you are playing on a cell phone and your train
goes through a tunnel. When you reconnect, your provider gives you a
different IP and you are logged out.
More information about the Haskell-Cafe
mailing list