[Plugin] ajaxPost

Post your completed addons to share with the community

Post » Fri Feb 10, 2012 5:06 pm

hi,
because the Ajax-post-Plugin isn't available i've created a new one (based on the AJAX-Plugin).

Usage like AJAX-Plugin with the difference that you can post the data via POST.




Plugin ajaxPost
postExample.capx (HTML-Div Plugin for the example)
ajaxexamplePostData.php
All suggestions are welcome.

Joe7
Joe72012-02-10 17:07:44
B
14
S
6
G
5
Posts: 173
Reputation: 4,742

Post » Fri Feb 10, 2012 6:04 pm

Probably nice

Ajax is still over my head ^^
B
40
S
11
G
4
Posts: 665
Reputation: 8,403

Post » Fri Feb 10, 2012 6:18 pm

tnx a lot Joe7 ^^
B
159
S
38
G
11
Posts: 229
Reputation: 17,361

Post » Wed Feb 15, 2012 2:20 am

Worked. Thanks. I can finally get a login system working.
B
72
S
10
G
6
Posts: 104
Reputation: 7,550

Post » Mon Feb 20, 2012 7:39 pm

That's a very great plugins! I was looking for this one!

Does anyone know how to encrypt or protect the post data values sent from the c2 game to server?

Thank you!
B
2
Posts: 2
Reputation: 404

Post » Tue Feb 21, 2012 10:32 am

B
14
S
6
G
5
Posts: 173
Reputation: 4,742

Post » Tue Feb 21, 2012 11:02 am

I allways thought, that HASH is a one-way thing..?!?
B
42
S
19
G
12
Posts: 723
Reputation: 13,911

Post » Wed Feb 22, 2012 8:51 am

Yes, it should be. As I understand the question - he asked only the encryption - e.g. post the "username"+"password" and store this encrypted string on the server.

The username and the score can send without encryption to store on the server. The client that uses the C2 game knows who he is ("username") and the app calculates the "score".

Second login: C2 encrypts username+passwort again --> send it to the server --> server: compares this string to the string stored before --> message success/fail to c2-client that wants to play

Suggestion:
If sending the username and the score unencrypted is to unsecure for you (-you can see the real-characters eg with wireshark ) - why not merge it in the encrypted string:
When the encrypted string for the
user "Joe7"+"joelspassword"
is --- "0123456789abcdef" ----
and the score is "20"
--> merge it in:
--- 01234567Joe789ab2cd0ef ---
and post this string. If you know the right positions of the characters you can pick them out Joe72012-02-22 08:55:53
B
14
S
6
G
5
Posts: 173
Reputation: 4,742

Post » Wed Feb 22, 2012 11:37 am

Actually, encrypted or not, just sending credentials like that is a possible security hole.
Another way to secure things is to go through https protocol (the page that does the ajax request is already a secured page, and the destination adress for the request is an https:// adress too).
This should help preventing the credential from falling into unwanted/malicious hands hopefully.
New to Construct ? Where to start

Image Image
Image Image

Please attach a capx to any help request or bug report !
Moderator
B
247
S
85
G
40
Posts: 6,999
Reputation: 57,793

Post » Fri Feb 24, 2012 1:56 pm

Thank you Joe7 and Kyatric for your answer! :)

Yes, I thought about mixing your 2 solutions (CB hash & https) because I'm looking the way to protect the username, hash session of player and score.

But I'm still care about the fact the player (called hacker) could find a way to make some ajax call from javascript console (like firebug or chrome console or anothers tools) by finding my C2 javascript function (even minified) to make the same CB Hash and call it to send a high score to server manually...

Just like EdgeWorld's game, there are some tools to hack that game even if EdgeWorld is in https mode... :(

I'm not expert and don't know very well https, but I saw that every JS Client application use that way even if post data is not encrypted (just like iCloud.com do)

Do you think https could prevent that kind of attack?
B
2
Posts: 2
Reputation: 404

Next

Return to Completed Addons

Who is online

Users browsing this forum: Bitmichael and 4 guests