what do you think of my login page?

[LearningCoder]

http://i41.tinypic.com/2v279dw.png

this is it up too now and before you ask this is my first time making a login page, all criticism is accepted and i will learn from it. What do people think of my login page? say what you dislike and what would make it look better please :)

[lucky3809]

Not bad, but I would make the wording lighter maybe add a lighter black border around the text or a white glow effect so it's easily seen and read better.

[chicka]

Not the best login page i've seen but for a first attempt its not bad at all.. Keep at it. i'm sure in the end it will look fantastic... Best of luck

[Ishraq]

Yh i think this looks really good for a starter.

Ask me to make something. It will look disgusting lol.

I like the text used and the simple stripey background.

But the font color seems a bit too dark and out of color.

You know what i mean?

[LearningCoder]

thanks guys :) i will sort this now :D

[a_bertrand]

Thanks to Octarine, I learned something new: CSRF or XSRF, for more information: http://en.wikipedia.org/wiki/Cross-site_request_forgery

For making a long story short: if your users are logged it, via session / cookie or whatever and some external site point an image to your game like

<img src="http://yourgame.com/index.php?cmd=change_pass&new_pass=123456" width="1" height="1">

The browser of your players will actually try to load that image (even if it is not an image), pass the session / cookie over and... actually trigger some actions.

Doing it with a post instead of a get? It involves a bit more work, and may not work with a simple image as you need some javascript (as far as I'm aware of), however it is also doable.

Now how do you protect yourself from such things? Well, a good option is to check the Referer header and see if it match with your site. If not, the request comes from the outside, and should be dropped. Yet even better, limit the life time of the session / cookie, such that the player is vulnerable only for X min (unless he/she browse malicious sites in the same time), or, require some sort of password when you do such things.

Honestly load of sites (if not most) are partially or completely vulnerable for such attack, yet it doesn't mean it's easy to setup and actually run, as the attacker shall know your site, and shall find a way to contact the users of your site for example. Also the impact of such attack on a game is... not very high

Is it an high security risk for a game? answer I don't think so.

Could something be done to yet lower the risks? Sure, however preventing completely those kind of attacks is hard. However you can certainly try to block some of the easiest things.

The other points, octarine said are for me more important for me, like blocking an account after X fails in X minutes.

[a_bertrand]

Indeed preventing completely those kind of attacks seems to be relatively hard. On my own code I did quiet some work, yet I only hope to have covered all those possible issues. Some times you never have enough imagination to cover all holes or at least me.

And I wasn't aware those kind of attacks have been successfully done on McCode game.

[a_bertrand]

Zend Certificate doesn't cover any security aspect. It covers purely the language. As I always said, I'm a programmer not a security expert nor an hacker. Yet I'm also not a McCode owner, developer, so all this McCode world and possible hacks are unkown to me ;)

You know, computer science is really big, you can't know all. For example somebody working with Oracle will not know SQL Server details and same in the other side. An expert in Java will normally not be an export in C# or yet, if you are a Java GUI developer maybe the Servlet and JSP are only basic knowledge. Does that make A Java guru a bad programmer? No, but simply not a good security expert. Usually security and development are 2 separated things, where you need true skilled people for security which do basically nothing else than that, and the programmers at the other side. Sure a soft need to be secured, specially if it goes on internet, but many soft never reach any public hands and may have completely different design goals.

Even formal training show huge difference in what you get: Nickson which is doing system administration and security is getting all kind of trainings to learn the possible (known) attacks, where when I made my master I didn't got even a single course about security. As said, there is simply too much to know, and you can't learn all. Then it's up to you to focus on the thing you are interested, but don't think that only one branch of the computer science is the most important, that would be a huge mistake ;)

[Spudinski]

ZCE does cover some security aspects.

See http://www.zend.com/services/certification/php-5-certification/

SSL and cryptography(or in Zend's case "hashing functions") being the dominant ones.

[a_bertrand]

The latest ZCE, but not the one I did, that I can tell you ;) (I made mine in 2006, so 6 years ago and it was PHP 4)

The current ZCE do have indeed quiet more focus on security (thanks Spudinski to pointing me to the right info, I must admit I didn't checked it since I made mine), and OO which was nearly existent at the time I did it.

And I think ZCE does tell if you are a security expert? The answer is again no, you may (now) have some overview, but you are certainly not an expert. To be an expert in the field, you should normally do formal training on that specific field, or at least have some long working expertise in the field.

Also a script on the same site to trigger some hack is for me something different than the CSRF as for me it's more a CSS / XSS attack and that one was known to me ;)

Finally, I shall add, that even if you are an expert, you may as well miss things, I mean, how do you think that even sites like youtube, google, yahoo get hacked otherwise? Don't you think they have full time security experts working there? Yet there is always some security aspect which has been forgotten or some new viscous way to pass the security. One of the well known and not really fixable issue is the so known "social engineering":

http://en.wikipedia.org/wiki/Social_engineering_(security)

[Spudinski]

Well, vendor-neutral certifications like the CISSP would be an indicator that you are an security expert.

As for SE, it is fixable by learning the traits. You have to know the enemy if you want to beat them.

[a_bertrand]

You can't fix social engineering, as it's your trusted users which are doing the stupidities... you can inform them, yes, but not much more.

For CISSP, as I said, I'm no expert so I can't even rate their certifications ;) But yes there is quiet some training / certification possibilities.

[Spudinski]

You can't fix social engineering, as it's your trusted users which are doing the stupidities... you can inform them, yes, but not much more.

SE has nothing to do with the person's intellect, it is a way to manipulate. Like "hacking" a human mind.

One could train them on the techniques the SEs would use to manipulate them, and from that they could make assumptions whether to trust the other or not.

[a_bertrand]

As said, the only thing you can do is inform your users. For internal (inside the company) it's somewhat doable, yet for external people it's nearly impossible beside sending from time to time emails informing them to not trust anyone XD

[Spudinski]

As said, the only thing you can do is inform your users. For internal (inside the company) it's somewhat doable, yet for external people it's nearly impossible beside sending from time to time emails informing them to not trust anyone XD

Well, it's the general rule of thumb: not to trust anyone.