Page 1 of 1

Session Key expiring

Posted: Tue Sep 15, 2009 6:25 pm
by CanadaWest
Hi Kent,

We have been changing our entire site over to PHP pages and will be using sessions to enhance the player's experience and the site functionality.

We have used the new login page to call a SessionKey via API and can assign that Key as the Session_id and pass it through all the pages. The problem occurs when a player goes to the gameserver (no login requird), plays a while then leaves to, say, create a private Ring Game on the website. When he goes back to the gameserver, the SessionKey has expired.

I want to restrict Login to the website but would not feel good about it if players have to go get a new session every time they want to re-enter the gameserver.

Why is the SessionKey one-time-use? Why not have it expire after 24 hours? Or at the idle limit?

Or am I missing something... again. LOL

Re: Session Key expiring

Posted: Tue Sep 15, 2009 7:30 pm
by Kent Briggs
CanadaWest wrote:We have used the new login page to call a SessionKey via API and can assign that Key as the Session_id and pass it through all the pages. The problem occurs when a player goes to the gameserver (no login requird), plays a while then leaves to, say, create a private Ring Game on the website. When he goes back to the gameserver, the SessionKey has expired.
The session key expires when they log out of the game. They should only see a session key expired message if they try to refresh the browser page and thus bypass your login system. If that was allowed to happen then it would defeat the whole purpose of the session key system. Why are they logging out to create a new ring game rather than just opening a new tab or new browser window?
Why is the SessionKey one-time-use? Why not have it expire after 24 hours? Or at the idle limit?
For both simplicity and maximum security. It's safe to embed right in the link since it can't be used again. And it prevents bypassing the site's custom login system. If you don't care about any of those things then you can still use the old LoginName/LoginPassword parameters.

Re: Session Key expiring

Posted: Wed Sep 16, 2009 12:06 am
by CanadaWest
Kent Briggs wrote:
It's safe to embed right in the link since it can't be used again. And it prevents bypassing the site's custom login system.
I see. Thats a bit disappointing. I think a session should last until the user ends it or is idle for a certain time.

One of the frustrations players face is when signal interruption, a dropped packet or some other issue forces them to Refresh and log back in. Its bad enough when all they have to do is Referesh, wait for the lobby to load and click OK to log in. If I force them to return to the website and get another session key, it will not be pretty.. LOL .. Every second counts when that turn clock is running. I thought the SessionKey login should make it easier for the players. "Refresh" and it opens again. Pity.

You know? Its a user's responsibility to log out properly to end their session. My hotmail, facebook and other sessions survive refreshing the page. The PHP session-ids survive refreshing the page.

I'm not sure I understand.

Re: Session Key expiring

Posted: Wed Sep 16, 2009 12:22 am
by Kent Briggs
CanadaWest wrote:[I see. Thats a bit disappointing. I think a session should last until the user ends it or is idle for a certain time.
The user did end it by logging out. Logged out is logged out. To log back in, they need to repeat the login procedure.
My hotmail, facebook and other sessions survive refreshing the page.
So does Poker Mavens, until you explicitly disabled it's own internal login system and replaced it with your own. If you've got the game embedded in a frame or iframe, the user is actually refreshing your page and so there should be nothing stopping you from automatically issuing another session key and logging them back in automatically.

Re: Session Key expiring

Posted: Wed Sep 16, 2009 2:53 am
by CanadaWest
Kent Briggs wrote:
there should be nothing stopping you from automatically issuing another session key and logging them back in automatically.
Of course! I can put my own "refresh" button on the gamepage that calls a new SessionKey and logs them right back in.

Very good.