Mizzion Posted February 8, 2011 Share Posted February 8, 2011 Hello, I recently downloaded the Lite version of MCC, and figured I would start by securing the scripts and then moving on from there. My question is, should I also secure the $_SESSION variables? I'm pretty sure I've read somewhere that it's possible to use plug-ins to hijack sessions, so I just want to make sure that while I'm securing, I get as much secured as possible (Plus it will be a learning experience :) ). Thanks for any help provided Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted February 8, 2011 Share Posted February 8, 2011 Sessions by themselves cannot be hacked or you cannot simply change the value of a session as it is stored on the server side. What you can do is hijack the session of somebody else if you grab the right cookie and the server is not protected against such things. But this is not normally an issue for McCode... Quote Link to comment Share on other sites More sharing options...
Mizzion Posted February 8, 2011 Author Share Posted February 8, 2011 Sessions by themselves cannot be hacked or you cannot simply change the value of a session as it is stored on the server side. What you can do is hijack the session of somebody else if you grab the right cookie and the server is not protected against such things. But this is not normally an issue for McCode...Thanks for the quick reply. I didn't think it would be a problem, but as the saying goes, "Better safe than sorry" :) Thanks once again. Quote Link to comment Share on other sites More sharing options...
The Spirit Posted February 8, 2011 Share Posted February 8, 2011 You should take a look at http://makewebgames.io/board750/34749-partly-well-fully-re-coded-lite Quote Link to comment Share on other sites More sharing options...
Mizzion Posted February 8, 2011 Author Share Posted February 8, 2011 You should take a look at http://makewebgames.io/board750/34749-partly-well-fully-re-coded-lite Thanks for the link. I've actually looked at that, but I would rather code it myself. This way I can get more familiar with the structuring. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted February 9, 2011 Share Posted February 9, 2011 A_bertrand is right. Although, MCCodes is suspectable for session hijacking. Smaller exploits with custom made - or poorly - modifications can lead to people being able to actually steal the cookies trough common XSS(Cross site scripting) methods. MCCodes, by default, does not make use of any cookies (the login script is an exception) so the base isn't vulnerable for this. But - I have seen modification developers make use of them. I'd say you check and/or log the sessions, and checking them to see if they are really accurate. There are many tutorials for this. The other suggestion I could give, that I use personally, is creating a unique ID for each player/visitor each time they visit the page. There are many things that go wrong with this system, but it's the most solid I have ever used and seen. For security info, as you requested, I'd say you firstly secure all the global variables and queries being passed around in MCCodes. They are messy, indeed. Quote Link to comment Share on other sites More sharing options...
Mizzion Posted February 9, 2011 Author Share Posted February 9, 2011 A_bertrand is right. Although, MCCodes is suspectable for session hijacking. Smaller exploits with custom made - or poorly - modifications can lead to people being able to actually steal the cookies trough common XSS(Cross site scripting) methods. MCCodes, by default, does not make use of any cookies (the login script is an exception) so the base isn't vulnerable for this. But - I have seen modification developers make use of them. I'd say you check and/or log the sessions, and checking them to see if they are really accurate. There are many tutorials for this. The other suggestion I could give, that I use personally, is creating a unique ID for each player/visitor each time they visit the page. There are many things that go wrong with this system, but it's the most solid I have ever used and seen. For security info, as you requested, I'd say you firstly secure all the global variables and queries being passed around in MCCodes. They are messy, indeed. Thank you for your input Spudinski. As for the cookie issue, I shouldn't run into that since I prefer to code my own mods and/or add on's. As for the logging and checking of the Sessions that is a good idea, thank you. Also about the unique ID per user/visitor, this is also a good idea and I will work on that while I'm in the files securing the variables and inputs. Onto the queries I agree, they are pretty messy and are being worked on as I go along. Once again thanks to everyone who has replied with input/suggestions. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.