Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Crazy transvestit
|
Posted - 2009.07.20 10:20:00 -
[1]
Edited by: Crazy transvestit on 20/07/2009 10:22:21 Hi
Im have a small question its any tools for corp to create jump birgde data base (ingame browser) and check access right via api key ???
If not Im want to make somthing like this but Im haven't got any idea how to start this work Im will be happy for any help.
Thanks
|
Ki Tarra
Ki Tech Industries
|
Posted - 2009.07.20 15:18:00 -
[2]
The in-game browser and api cannot be used for securing access to anything.
All of the header information provided by the IGB can be spoofed - all a hacker would need to do is find out the characterID of one of your corp members and he could impersonate that character. CharacterIDs can be looked up publicly, so there nothing to stop someone from impersonating the IGB of anyone else. The IGB and its headers have never been intended to be secure, nor to ensure identity.
About all that you can do is use the api to automate the process of registering/deregistering with your website. Use the full api key of one of your directors to get a list characters in your corp. Your website can then validate corp members api keys when requested to choose/change a password.
Ultimately you will need to have players register a password with your website if you want access to be secure.
|
Dragonaire
Caldari Corax. New Eden Retail Federation
|
Posted - 2009.07.22 13:41:00 -
[3]
Might have a look at this forum thread about the IGB and it's header etc.
http://www.eveonline.com/ingameboard.asp?a=topic&threadID=1011219
Gives you an idea just how non-secure you're idea is to trust them. -- Finds camping stations from the inside much easier. Designer of Yapeal for Eve API.
|
Vorononv Circut
The Maverick Navy Atlas Alliance
|
Posted - 2009.07.25 02:46:00 -
[4]
Yeah... I agree with the other posters. What you really need is an alliance forum with restricted access.
A tool I really would like to see: a customizable map for jumpbridge networks.
|
Lord Fitz
Project Amargosa
|
Posted - 2009.07.27 12:02:00 -
[5]
Originally by: Ki Tarra About all that you can do is use the api to automate the process of registering/deregistering with your website. Use the full api key of one of your directors to get a list characters in your corp. Your website can then validate corp members api keys when requested to choose/change a password.
Ultimately you will need to have players register a password with your website if you want access to be secure.
Using the directors API key is the right thing to do, but you can't verify a user just because they have their API key, given they may have placed it on a third party site for some other app. If they create an account, and then get a verify code generated for them, if they then send that code in a transaction message to some other character who can have their API read by your app, then you have a 100% verification that the person that made that login on the website has access to that character. Then you use the director API to verify corp membership and you're set ;)
A little mucking around but provides more certainty than other methods I've seen.
|
Vorononv Circut
The Maverick Navy Atlas Alliance
|
Posted - 2009.07.28 16:50:00 -
[6]
You may want to look at the way I handle user verification on BleakLands.com. I set up an API monitor on my own wallet. When a user wants to create a new account they send me a 0.1 isk (or anything really, doesn't matter) donation and include "pw=my_password" in the comment line. My site can then poll my wallet for the userid and the password they would like. This means that accounts can ONLY be created through the in-game donation system, and a new password can be made any time (even without knowing the old one) if you have access to Eve. You can, of course, change the password securely on the site once you log in; but you have to know the old password.
|
Johnathan Roark
Caldari Quantum Industries RAZOR Alliance
|
Posted - 2009.07.28 17:22:00 -
[7]
Originally by: Vorononv Circut You may want to look at the way I handle user verification on BleakLands.com. I set up an API monitor on my own wallet. When a user wants to create a new account they send me a 0.1 isk (or anything really, doesn't matter) donation and include "pw=my_password" in the comment line. My site can then poll my wallet for the userid and the password they would like. This means that accounts can ONLY be created through the in-game donation system, and a new password can be made any time (even without knowing the old one) if you have access to Eve. You can, of course, change the password securely on the site once you log in; but you have to know the old password.
Problem with that is anyone that has access to your full api would have a passwords. This would be included to you. Some users recycle passwords and may even use there eve password. I really wish ccp would do an eve openID system.
Quantum Industries is recruiting! |
Vorononv Circut
The Maverick Navy Atlas Alliance
|
Posted - 2009.07.29 02:47:00 -
[8]
Originally by: Johnathan Roark
Problem with that is anyone that has access to your full api would have a passwords. This would be included to you. Some users recycle passwords and may even use there eve password. I really wish ccp would do an eve openID system.
Sorry for derailing this topic further. Yes, it's not the best system in the world. However, users can change the password securely on the site and I warn them to do so. Once they change it there, it's securely salted and hashed so I can't see it.
The openID system is really a nice idea - it really wouldn't take too much to program it. It would also allow better management of API keys (IE you choose what parts of the API a site is allowed to have). I saw, for example, a thread in MD discussing a player-driven insurance system. It would require the full api for killmails, but people have trouble justifying exposing their full api for it.
|
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |