Building Browsergames - Latest Comments in Building Browsergames: forcing users to log in (PHP)http://bbgames.disqus.com/enWed, 10 Mar 2010 10:26:23 -0000Re: Building Browsergames: forcing users to log in (PHP)http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/#comment-38861303<p>What about storing user's IP in the session variable when they log in additionally and check whether it matches current IP on every login check? Wouldn't it make the whole process a bit safer?</p>kicWed, 10 Mar 2010 10:26:23 -0000Re: Building Browsergames: forcing users to log in (PHP)http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/#comment-7216515<p>I expected sessions were just a form of standard cookies. But it seems they are not, and secure as you said :)<br>Thanks for sharing this information!</p>MrLolligeSat, 14 Mar 2009 14:10:07 -0000Re: Building Browsergames: forcing users to log in (PHP)http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/#comment-7216402<p>Ill do some research on phps sessions function, that will get me more information :D<br>Thanks again for your reply!</p><p>(Still even an encrypted cookie is copyable. If you see a computer where someone is logged in, you could copy the cookie and use it yourself forever. But I am not planning on working with session IDs -_-)</p>MrLolligeSat, 14 Mar 2009 14:03:12 -0000Re: Building Browsergames: forcing users to log in (PHP)http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/#comment-7215444<p>Realistically, any authentication system you build is unsecure - but PHP's<br>sessions are 'safe enough'. As far as I'm aware(although I'm sure someone<br>will correct me if I'm wrong), sessions are stored in an encrypted format in<br>the cookie - which makes it a little harder for an attacker to just create a<br>cookie with your username inside it.<br>Storing the ID does seem like a better way to do it, if you're going to need<br>the ID very often - it's definitely faster to retrieve something from a<br>cookie than the database.</p>LukeSat, 14 Mar 2009 13:06:18 -0000Re: Building Browsergames: forcing users to log in (PHP)http://buildingbrowsergames.com/2008/06/24/building-browsergames-forcing-users-to-log-in-php/#comment-7210630<p>I just realized: Isn't this very unsercure? If I create a cookie myself that has your username in it, I am automatically logged in on your account right?</p><p>And why do this instead of just checking if there still is a cookie? I do not need to know the user ID anyway.<br>Also, in my version of the game I am making with your tutorial, I stored the ID in the cookie too, because you really need it often. Or is retrieving data from the database faster/better than retrieving data from a cookie?</p><p>Please explain what and why you did this :)</p>MrLolligeSat, 14 Mar 2009 06:17:29 -0000