API Password masking

For general discussion of the Poker Mavens software

API Password masking

Postby StormITSolutions » Sun Feb 15, 2009 12:38 pm

Hey guys,

Has anyone managed a good way of masking the API password,
We are playing around with our server and would prefer that bankers don't see it displayed when opening tournaments.

Any suggestions would be very helpful.
We trust our friends to be bankers but I am limiting what they can do so there is less chance of them breaking the remote server.

And we all know people love to cheat and removing temptation would be good.

Thanks

Al
StormITSolutions
 
Posts: 6
Joined: Sat Feb 07, 2009 10:49 am

Re: API Password masking

Postby Kent Briggs » Sun Feb 15, 2009 1:25 pm

StormITSolutions wrote:Has anyone managed a good way of masking the API password,
We are playing around with our server and would prefer that bankers don't see it displayed when opening tournaments.


Build a web interface on a secure computer just for your bankers with some kind of login system that only they can access. That interface uses server-side scripting like PHP to communicate with the game server's API. The bankers will not be able to see that communication and thus won't know what the API password is.
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 3763
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Password masking

Postby StormITSolutions » Sun Feb 15, 2009 1:52 pm

I have tried alot of methods but packet sniffers are still picking up the API password.
Looking into the password being stored in a remote server database and the php app calling the password from the bankers command after the submission on a remote banker site.

That way the call is done after on another server so packet sniffers cant pick it up.
A more roundabout way of doing it so I thought I would ask if others had a workaround or shall i just get stuck into the code.

I may be over complicating it as ive been told in the past I cant see the forest for the trees
AL
StormITSolutions
 
Posts: 6
Joined: Sat Feb 07, 2009 10:49 am

Re: API Password masking

Postby Kent Briggs » Sun Feb 15, 2009 3:55 pm

StormITSolutions wrote:I have tried alot of methods but packet sniffers are still picking up the API password.


How are the bankers (or anyone else) seeing packets going from your computer running the web interface to your computer running the game server?
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 3763
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Password masking

Postby StormITSolutions » Sun Feb 15, 2009 6:14 pm

The test I am trying is the scenario.

Bankers on remote pc's using remote web interfaces.

It's not a scenario we are currently using, but I'm crossing all the T's and dotting the i's for future use.
At the moment the bankers are on the same network as the server.

My understanding of the API was that if the user submits a command via a web site(http commands) they could "sniff" out the packets, I know this is normally the case but API is something im fairly new too.

Only started integrating API into my software to sync servers so not 100% sure of its application in this sense.

ANy information would be great to help my learning curve.

Al
StormITSolutions
 
Posts: 6
Joined: Sat Feb 07, 2009 10:49 am

Re: API Password masking

Postby Kent Briggs » Sun Feb 15, 2009 7:47 pm

StormITSolutions wrote:At the moment the bankers are on the same network as the server.


Well that would be an issue if they have physical access to your own computers.

My understanding of the API was that if the user submits a command via a web site(http commands) they could "sniff" out the packets


They could see the packets if they had access to the sending or receiving computer. I'm not sure about inside a LAN but I suspect if they had access to the router it might be possible there also since all the network traffic would flow through it.
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 3763
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Password masking

Postby StormITSolutions » Mon Feb 16, 2009 9:21 am

Thanks for the quick responses.

I will monitor how the system goes and see If I can stop my collegues messing about with it.

Will write some php scripts to handle remote registration and api banker commads, will post the code when I'm done to allow others to freely use it.

Al
StormITSolutions
 
Posts: 6
Joined: Sat Feb 07, 2009 10:49 am

Re: API Password masking

Postby Kent Briggs » Mon Feb 16, 2009 11:49 am

One thing I could do, is add an option to bind the localhost (127.0.0.1) to the game server (in addition to it's regular IP). Then you could run a separate web server on that same machine and it would communicate with the game server via 127.0.0.1 and never expose the API password on the LAN.
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 3763
Joined: Wed Mar 19, 2008 8:47 pm

Re: API Password masking

Postby StormITSolutions » Mon Feb 16, 2009 4:45 pm

That would be a good option.
If its not too much trouble it would come in useful.

Al
StormITSolutions
 
Posts: 6
Joined: Sat Feb 07, 2009 10:49 am

Re: API Password masking

Postby Kent Briggs » Wed Feb 18, 2009 8:30 pm

Kent Briggs wrote:One thing I could do, is add an option to bind the localhost (127.0.0.1) to the game server (in addition to it's regular IP). Then you could run a separate web server on that same machine and it would communicate with the game server via 127.0.0.1 and never expose the API password on the LAN.


This feature has now been added to version 2.33.
Kent Briggs - [email protected]
Briggs Softworks - http://www.briggsoft.com
Kent Briggs
Site Admin
 
Posts: 3763
Joined: Wed Mar 19, 2008 8:47 pm

Next

Return to General

Who is online

Users browsing this forum: No registered users and 8 guests