February 2004
- Solutions for smarter NPCs (long) Robert Zubek
- TECH: newbie, mud over jabber im cr88192
- Randomness Alex Chacha
- Randomness David Kennerly
- Randomness Alex Chacha
- UI Design Adam
- MCP/GUIs (was: MUD client popularity) Bruce Mitchener
- [DGN] A comparison of adolescent and adult online computer game players Luca Girardo
- Discussion groups at the MDC Brian 'Psychochild' Green
- Different Style of Online Games Stewart Berntson
- Too much magic? Brian Hook
- Too much magic? Michael "Flury" Chui
- Too much magic? John Buehler
- Too much magic? Hans-Henrik Staerfeldt
- Too much magic? John Buehler
- Too much magic? Corey Crawford
- Too much magic? cruise
- Too much magic? Brian Hook
- Too much magic? Richard A. Bartle
- Too much magic? Brian Hook
- Too much magic? Paul Canniff
- Too much magic? cruise
- Too much magic? Daniel.Harman@barclayscapital.com
- Too much magic? Ben Hawes
- Too much magic? Miroslav Silovic
- Weather simulations Nathan Black
- Weather simulations Spot
- Weather simulations Shane P. Lee
- Weather simulations Valerio Santinelli
- How much should be offloaded to Scripting? Dan Larsen
- How much should be offloaded to Scripting? Brian Hook
- How much should be offloaded to Scripting? Koster, Raph
- How much should be offloaded to Scripting? Brian Hook
- How much should be offloaded to Scripting? Jay Carlson
- How much should be offloaded to Scripting? Damion Schubert
- How much should be offloaded to Scripting? Jim Purbrick
- How much should be offloaded to Scripting? Jim Purbrick
- How much should be offloaded to Scripting? Sean Middleditch
- How much should be offloaded to Scripting? Lars Duening
- How much should be offloaded to Scripting? Ben Garney
- How much should be offloaded to Scripting? Acius
- How much should be offloaded to Scripting? Richard A. Bartle
- How much should be offloaded to Scripting? Patrick Dughi
- How much should be offloaded to Scripting? gbtmud
- How much should be offloaded to Scripting? Kwon J. Ekstrom
- How much should be offloaded to Scripting? James Pepe
- Media: Women over 40 biggest online gamers J C Lawrence
- Media: Women over 40 biggest online gamers ext.Christer.Enfors@tietoenator.com
- Media: Women over 40 biggest online gamers Koster, Raph
- Media: Women over 40 biggest online gamers Daniel James
- Media: Women over 40 biggest online gamers Fred Snyder
- Media: Women over 40 biggest online gamers Michael Sellers
- Media: Women over 40 biggest online gamers Tom Hunter
- Media: Women over 40 biggest online gamers Luca Girardo
- Media: Women over 40 biggest online gamers Luca Girardo
- Character Restraint & Capture. Jester
- Character Restraint & Capture. rjw
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Paul Schwanz
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Paul Schwanz
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Paul Schwanz
- Character Restraint & Capture. Damion Schubert
- Character Restraint & Capture. Daniel.Harman@barclayscapital.com
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Paul Schwanz
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Damion Schubert
- Character Restraint & Capture. Byron Ellacott
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Damion Schubert
- Character Restraint & Capture. Marian Griffith
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Brian 'Psychochild' Green
- Character Restraint & Capture. cruise
- Character Restraint & Capture. Paul Schwanz
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Valerio Santinelli
- Character Restraint & Capture. Craig H Fry
- Character Restraint & Capture. Jim Purbrick
- Character Restraint & Capture. Michael Sellers
- Character Restraint & Capture. Jester
- Character Restraint & Capture. cruise
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Tess Snider
- Character Restraint & Capture. Eric Random
- Player generated quests wcoles@reflectionsinteractive.com
- Player generated quests cruise
- Player generated quests Artur Biesiadowski
- Player generated quests Alex Chacha
- Player generated quests Mike Shaver
- Player generated quests Talanithus Tarant
- Quick question SSL Christopher Allen
- Quick question SSL ceo
- Quick question SSL sziisoft
- Quick question SSL Jo Dillon
- Quick question SSL Matthew D. Fuller
- Quick question SSL ceo
- Quick question SSL szii@sziisoft.com
- Quick question SSL Travis Casey
- Quick question SSL Tamzen Cannoy
- Quick question SSL ceo
- Quick question SSL Byron Ellacott
On Thu, 2004-03-04 at 19:55, ceo wrote:
> szii@sziisoft.com wrote:
>> You can get the IP address from the TCP stack on the client.
>> Then you can register "player X is at IP xxx.yyy.zzz.aaa" on the
>> server. You could also use the socket information (sockaddr_in
>> structure) to determine that information and register it.
> How, exactly, do you do this with HTTP?
If you're writing a CGI application, CGI 1.1 specifies that the
REMOTE_ADDR environment variable should contain the IP address of
the remote host making the request.
If you're writing a program that speaks HTTP over a socket directly,
you're able to record the connecting IP address yourself.
If you're writing an Apache module or equivalent for other servers,
the API for that server should expose the remote IP.
I don't think the question I answered is the question you meant to
ask. I think you wanted to know how to identify the machine that
sourced the request, not the machine who last intercepted it and
forwarded the request to you. Unfortunately, you do not have this
information in the transport protocol, nor is it guaranteed to be in
the HTTP headers, nor can you trust information in packets that came
from the Internet anyway.
However, the original problem was based around certain (transparent)
proxies changing the source IP address for HTTP, but not for HTTPS.
You wanted a way to verify that the person passing you a token was
the same person you issued that token to, and you could no longer
use remote IP to do that.
Unfortunately, the original solution was not any more secure than
generating a random number as the user's token. If an attacker A is
able to snoop the traffic between your client C and server S, they
would be able to extract the token, fake a request from C, and read
what S sends back. If attacker A is unable to snoop the traffic, a
random token is sufficiently secure.
If you're willing to get hacky with Javascript, you can probably do
the following:
1) During the secure setup, set a cookie on the client containing
a secret key, randomly generated.
2) The submit button on each page invokes a piece of javascript
that performs a hash of the input fields and the secret key.
3) Your server then compares that hash with its own computation.
The attacker knows the token, the hash, and the hash method used,
but as long as they do not know the secret key they cannot pretend
to be the client. This rules out both spoofing and man in the
middle[0], so long as your secret keys are not guessable and are not
used for long enough for the attacker to brute force them.
--
bje
[0] Man in the middle is still possible if the attacker intercepts
the initial HTTPS connection. Note that SSL encryption prevents
snooping, it does not perform authentication. You should at the
very least use a server certificate so the client can be certain
they're talking to the right thing. - Quick question SSL Alex Chacha
- Quick question SSL Byron Ellacott
- Quick question SSL Sean Middleditch
- Mythica Cancelled.. dienw
- Mythica Cancelled.. Kerry Fraser-Robinson
- Mythica Cancelled.. David H. Loeser Jr
- Mythica Cancelled.. Vincent Archer
- Mythica Cancelled.. Vincent Archer
- Mythica Cancelled.. Michael Sellers
- Mythica Cancelled.. Scott Jennings
- Mythica Cancelled.. szii@sziisoft.com
- Mythica Cancelled.. Valerio Santinelli
- Mythica Cancelled.. Damion Schubert
- Mythica Cancelled.. Hans-Henrik Staerfeldt
- Mythica Cancelled.. Bill Slease
- Mythica Cancelled.. Freeman, Jeff
- Mythica Cancelled.. Tom "cro" Gordon
- [Design] Meta-physics Engine cruise
- RE:Character Restraint & Capture. Chris Duesing
- Economic model.. Brian Thyer
- Economic model.. Mike Lescault
- Economic model.. Robert Kovalchick
- Economic model.. Brian Thyer
- Economic model.. Matt Mihaly
- Economic model.. brian@thyer.net
- Economic model.. Matt Mihaly
- Economic model.. Matt
- Economic model.. Brian Thyer
- Economic model.. cruise
- Economic model.. brian@thyer.net
- Economic model.. cruise
- Economic model.. Thomas Clive Richards
- Economic model.. Michael Sellers
- Economic model.. Daniel.Harman@barclayscapital.com
- Economic model.. Michael Sellers
- Economic model.. Daniel.Harman@barclayscapital.com
- Economic model.. Brian Thyer
- Economic model.. Marian Griffith
- Economic model.. Brian Thyer
- Economic model.. Francisco Gutierrez
- Economic model.. Brian Thyer
- Character Restraint & Capture (bounty hunting) Jester
- Character Restraint & Capture (bounty hunting) Brian Hook
- Character Restraint & Capture (bounty hunting) Jester
- Character Restraint & Capture (bounty hunting) Roy Sutton
- Character Restraint & Capture (bounty hunting) Chris Duesing
- Character Restraint & Capture (bounty hunting) Byron Ellacott
- Character Restraint & Capture (bounty hunting) szii@sziisoft.com
- Character Restraint & Capture (bounty hunting) John Buehler
- Character Restraint & Capture (bounty hunting) Jester
- Character Restraint & Capture (bounty hunting) Byron Ellacott
- Character Restraint & Capture (bounty hunting) Jester
- Character Restraint & Capture (bounty hunting) Byron Ellacott
- Character Restraint & Capture (bounty hunting) Jester
- Economic model (long) Jester
- Announce: MUD-Dev Conference J C Lawrence