Page 1 of 2

API Password masking

Posted: Sun Feb 15, 2009 12:38 pm
by StormITSolutions
Hey guys,

Has anyone managed a good way of masking the API password,
We are playing around with our server and would prefer that bankers don't see it displayed when opening tournaments.

Any suggestions would be very helpful.
We trust our friends to be bankers but I am limiting what they can do so there is less chance of them breaking the remote server.

And we all know people love to cheat and removing temptation would be good.

Thanks

Al

Re: API Password masking

Posted: Sun Feb 15, 2009 1:25 pm
by Kent Briggs
StormITSolutions wrote: Has anyone managed a good way of masking the API password,
We are playing around with our server and would prefer that bankers don't see it displayed when opening tournaments.
Build a web interface on a secure computer just for your bankers with some kind of login system that only they can access. That interface uses server-side scripting like PHP to communicate with the game server's API. The bankers will not be able to see that communication and thus won't know what the API password is.

Re: API Password masking

Posted: Sun Feb 15, 2009 1:52 pm
by StormITSolutions
I have tried alot of methods but packet sniffers are still picking up the API password.
Looking into the password being stored in a remote server database and the php app calling the password from the bankers command after the submission on a remote banker site.

That way the call is done after on another server so packet sniffers cant pick it up.
A more roundabout way of doing it so I thought I would ask if others had a workaround or shall i just get stuck into the code.

I may be over complicating it as ive been told in the past I cant see the forest for the trees
AL

Re: API Password masking

Posted: Sun Feb 15, 2009 3:55 pm
by Kent Briggs
StormITSolutions wrote:I have tried alot of methods but packet sniffers are still picking up the API password.
How are the bankers (or anyone else) seeing packets going from your computer running the web interface to your computer running the game server?

Re: API Password masking

Posted: Sun Feb 15, 2009 6:14 pm
by StormITSolutions
The test I am trying is the scenario.

Bankers on remote pc's using remote web interfaces.

It's not a scenario we are currently using, but I'm crossing all the T's and dotting the i's for future use.
At the moment the bankers are on the same network as the server.

My understanding of the API was that if the user submits a command via a web site(http commands) they could "sniff" out the packets, I know this is normally the case but API is something im fairly new too.

Only started integrating API into my software to sync servers so not 100% sure of its application in this sense.

ANy information would be great to help my learning curve.

Al

Re: API Password masking

Posted: Sun Feb 15, 2009 7:47 pm
by Kent Briggs
StormITSolutions wrote:At the moment the bankers are on the same network as the server.
Well that would be an issue if they have physical access to your own computers.
My understanding of the API was that if the user submits a command via a web site(http commands) they could "sniff" out the packets
They could see the packets if they had access to the sending or receiving computer. I'm not sure about inside a LAN but I suspect if they had access to the router it might be possible there also since all the network traffic would flow through it.

Re: API Password masking

Posted: Mon Feb 16, 2009 9:21 am
by StormITSolutions
Thanks for the quick responses.

I will monitor how the system goes and see If I can stop my collegues messing about with it.

Will write some php scripts to handle remote registration and api banker commads, will post the code when I'm done to allow others to freely use it.

Al

Re: API Password masking

Posted: Mon Feb 16, 2009 11:49 am
by Kent Briggs
One thing I could do, is add an option to bind the localhost (127.0.0.1) to the game server (in addition to it's regular IP). Then you could run a separate web server on that same machine and it would communicate with the game server via 127.0.0.1 and never expose the API password on the LAN.

Re: API Password masking

Posted: Mon Feb 16, 2009 4:45 pm
by StormITSolutions
That would be a good option.
If its not too much trouble it would come in useful.

Al

Re: API Password masking

Posted: Wed Feb 18, 2009 8:30 pm
by Kent Briggs
Kent Briggs wrote:One thing I could do, is add an option to bind the localhost (127.0.0.1) to the game server (in addition to it's regular IP). Then you could run a separate web server on that same machine and it would communicate with the game server via 127.0.0.1 and never expose the API password on the LAN.
This feature has now been added to version 2.33.