Advertisement

internet browser related question, and future questions.

Started by March 28, 2017 08:36 PM
2 comments, last by hplus0603 7 years, 8 months ago

Hello everyone. I'm creating a browser game and have run into a snag. I am unsure where to post my questions on Gamedev. I'm going to use this forum until informed otherwise.

The questions I have are more to do with website hosting as opposed to game development, I'm just hoping I can get a few quick pointers as to where else to look for the information.

What I'm wanting to know is if I can create an 'instance' of a url link for a logged in user. Rather than having a boolean value determine a persons access I was thinking of creating instances of links that are closed down from the server as soon as a client logs off? I'm sure this is already done in some fashion. Does anyone know what I'm looking for?

It is certainly possible to do something similar to that, but the specifics depend on how much control you have over the hosting software.

Advertisement
This is typically known as "session management." Virtually any hosting infrastructure will let you do it.

Wielder of the Sacred Wands
[Work - ArenaNet] [Epoch Language] [Scribblings]

The way you do this is store all the various permission bits (user ID, score, and whatnot) in some semi-persistent back-end storage.
Memcached is often used. Redis, MySQL, Cassandra, or pretty much any other shared persistent storage will work, too.
You will want the storage to expire after some time (30 minutes to 30 days are common session lifetimes.)
Then, key that data by a long, randomly-generated string (known as the "session key" or "session id.")
Set a cookie on the HTTP session that is named "sid" and that has the session key as value.
For each request that comes in, look at the value of the "sid" cookie, and if it matches an existing stored chunk of state, assume that that's the user.

Note that, if you use HTTP instead of HTTPS, and the user is accessing your site from a public WiFi somewhere, someone running Wireshark can steal the session cookie.
This attack was made famous by the "firesheep" tool. Hence, you should use HTTPS for all traffic. That's easy now, that "let's encrypt" makes it free and automated to get certificates.
When the user logs out, terminate the record with the key of the user's session id, and clear the "sid" cookie.
enum Bool { True, False, FileNotFound };

This topic is closed to new replies.

Advertisement