Hello,
I'm developing a game server with a WinForms client for testing. I've set up a packet system where, for example to simulate a player sending a chat message in game, the client constructs a PacketPlayerChat(string message), serializes it and sends it to the server. The server then uses the header data in the packet to reconstruct the correct packet type and fill in its values.
When the client connects to the server, simulating a player joining a server in-game, they need to authenticate. The way I'm thinking to do this is to do the following:
• Client connects to game server
• Game Server sends a PacketServerRequestAuth()
• Client sends PacketPlayerAuth(string username, string password)
• Game Server then validates this with the auth server
• The game server sends a PacketServerAuthResult(AuthResult result) depending on the login result
• If login failed, the game server closes the client connection
Of course, username and password will be encrypted.
If this a secure method? I'm aware that a modded server will allow the user to capture encrypted usernames and password, but they're useless to them.
A concern is that a modded server owner could capture the encrypted username and password, and request an auth from the auth server at any given time, making the auth server think the player has logged in (may cause havoc with login statistics).
I think it's best to include some sort of one-use token; if this is a good idea, what's the best way to implement it?
One idea I had is:
• Client requests a token from the auth server
• Client sends login details along with token to the game server
• Game server authenticates user with auth server, which is only possible if the token is valid, and it's one-use.
• Auth server ignores auth requests if the token is invalid.
What I have tried:
Thinking. About a lot of things.