koobas.hobune.stream
Client Server Login, Security!
Ok new question, I’m looking into building a web based application that allows login from a remote client (windows, mac build). Problem I found is that the username and password needs to be sent from the client to the web. If that login data is intercepted then access can be easily granted.
So how would one go about creating a secure login system that allows a client to access a back-end web based system?
I think in the most part of what I’m looking at is very secure if I use SSL, however if there was a virus of some kind on the client, that could gain access to the data then that would be a real problem.
Any ideas or suggestions welcome, I’m just looking for a kind of best practice approach.
The answer to this is complex passwords and encryption, remember never to embed any passwords into the client.
After some further testing there is still what seems to be a variability, the only solution I can see is by placing a unique identifier within the client. But that I guess could be found, hmmm. Tricky working this one out.
An unique identifie don't change your problem, it must be sent in ssl exactly like login/password. A uid is better used when you don't what that user choose a unsecure password (like 1234).
how say that communication is secure? :P
Do as any website does and you will be in the standard. Use the SSL solution. A simple post into a https it is ok. Everything else generally increase complexity and give a "fake security".
Hi, Sisso
The web side is fine and I’m probably going a little over board with this.
The problem I can see is the access data getting intercepted on the client, however this is the same for any client based application I guess.
There is one way I can see that would increase security and that would be to have the login online, and then created a session ID for the client.
That way the client only acts as a receiver for the data based to that unique session ID.
Defiantly over board, but would be nice to see what others have done to handle this secure handshake between the client and the remote account system.
I think could misunderstand something. You are afraid about storage in the device the login and password and uses it to contact the server each time? In this case, I thing that login once and store only the token is the better option. It is what a browser do with cookies.
Please, convert your answer as a comment :P
Yeah sorry I’m not being very clear, will try to explain.
The part of the client to server communication that bugs me, is putting the login detail into the Unity client and then sending that data to the web. I don’t intend to store the login details with in the client so it’s probably nothing to stress about.
