C# Client to PHP server authentication

Question

My XNA game needs to connect to my website with a WebRequest to a PHP page that checks the database for the user and checks to see if the password is correct.

I already have a login script that will return a message such as "success" or "fail" obviously this is temporary and needs to be improved for secrity reasons, it could easily be faked.

C# Login Request

    //Create the POST data
    ASCIIEncoding encoding = new ASCIIEncoding();
    string postData = "username=" + user + "&pass=" + pass;
    byte[] data = encoding.GetBytes(postData);

    //Make a request
    WebRequest request = WebRequest.Create("http://example.com/login.php");
    request.Method = "POST"; //We are posting the info
    request.ContentType = "application/x-www-form-urlencoded";
    request.ContentLength = data.Length;

    //Open a stream, write into, then send it
    Stream stream = request.GetRequestStream();
    stream.Write(data, 0, data.Length);
    stream.Close();

    //Get response
    WebResponse response = request.GetResponse();
    stream = response.GetResponseStream();

    //Make a new stream, We will read from this
    StreamReader sr = new StreamReader(stream);
    string responseString = sr.ReadToEnd();

    //TODO: If the responseString says the client if authenticated, procede, if not, display error to user (Invalid password, etc)

And the PHP script just finds user and compares submitted password (All of this is integrated with a Joomla site database, so users have a site and game account).

Now, how can my PHP script send back a reliable way of authentication, and provide some sort of token/id, so when I want to submit for example, a high score later, it knows that it is coming from this user, and isn't being faked?

Answer 1

To be blunt, there's no real way to ensure the data you are receiving in your PHP script is actually coming from your client. The best you can do is make it harder. Do be careful how much time you spend on this, it's a deep well, and those that want to cheat will.

Session Hijacking is only really concerning 3rd parties who are trying to access or manipulate your information. For games, this 3rd party doesn't care about your high score, they want credit cards and passwords. (Passwords are an other story, but you pretty much need SSL)

From your description, you are primarily concerned with cheating, and essentially all cheating is 1st party. The player wants to cheat. The only sure way to prevent (most) cheating is to run the game on your own systems and give the client as little control as possible (eg. EVE Online, Diablo 3, anything Blizzard). This is usually quite difficult to achieve, so I'll propose some alternatives.

To understand your enemy, there are a plethora of memory editing tools out there. Everything from injection functions to changing your money from 100 to 999999 can be done. Changing numeric values (like score) would take me ~15 minutes, and I am not very good at it.

Sanity checking. In your PHP, make sure the submitted score actually makes sense. Assume everything you get from the client is manipulated.

Punkbuster. Paying companies like Punkbuster or getting your game on Steam where you can (might be able to) use VAC. These tools don't publicize how they work, and VAC even has a delayed ban system so that you don't know what triggers it, but in broad strokes, they monitor for memory changes and/or scan for known hacks.

Honesty. Pssh, yeah right (j/k). Lol, but really: You trust your friends right? Consider scoreboards without griefers.

Maybe implementing something like season-based scoreboards? Every X days, the scoreboard resets. This reduces the incentive to cheat.

And that's pretty much it. You can try to obfuscate your memory values and it might stop people like me, but if somebody wants it bad enough and knows enough, they'll be able to break it and release a tool.

I will say this though: Make something worth hacking first! If people have gone through the effort to cheat, that's a great sign, and you should feel happy.

Answer 2

You're referring to a Session Token. Session tokens are a great way to authenticate actions for a given period of time after sign in. Your php can associate a session token with a username, which gets cleaned by a server process after a given amount of time, at which point the user must again log in.