Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

AppGameKit Classic Chat / Ideas on how to use FB login to manage user accounts

Author
Message
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 23rd Apr 2013 20:46
Link
Hi everyone. I'm thinking about my second game and I'd really like to use FB login to maintain user credentials.

My concern is this:
The user can login to FB with my game and I can verify that he/she has done so. I can then retrieve their FB username, but no security identifier (like a password).
I don't want the user to have to create a password for the game, but I want to make sure that their FB login is unique.

I've thought of simply assigning them a random code as an internal password that they never see it.
Does this seem like a valid way to handle this?
I'm thinking if they reinstall the game that I'd have to check my database to see if they're fb username is already registered.

I'd love to hear some thoughts on how others have handled this.

Thanks!!

Check out dFenz on Google Play, Windows, or Mac:
Back to top
Profile PM Email Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 23rd Apr 2013 22:10
Link
Well, FB will make sure that their login is unique. They certainly don't allow duplicates. So, as long as your user provides one that works, don't sweat it.

The way I handle a user reinstalling my app is like this:
1. The app starts for the first time (it doesn't detect the presence of the options file)
2. It requests a user name from the user and sends the name to my website
3. If the name is already in use, the site checks the stored id for other games as well (I anticipate more than one game, eventually) and sends back the information to my app
4. The app says the name is already registered for the game. If there are other games associated with the id, it lists them as well. Then it asks if that is them.
5. Assuming it is and the the user is honest and says yes, then their device is updated with some information (including all posted game stats) and the user is done.

In the event that it isn't them, and they are honest, they are asked for another user name.

If the first web connection times out, the user is told this and allowed to play as 'Guest'. The next time the app starts, they are again greeted with the request for a user name.

I also would suggest not storing their Facebook id in your database.

But if you do, you need to make sure that they are informed about it before you do it and have the option to skip whatever it is that you are trying to do.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 23rd Apr 2013 22:58
Link
I've never really dealt with user credentials before or managing a server database so this will be an adventure for me
Thanks for the tips I appreciate it.

I'll do what I can to avoid using their FB username. It does make more sense to use a unique name for my own server's purposes.

I know piddly about server db management. Basically I only need to store some user data (login credentials and game stats - a bit beyond the basic score). Is there any reading you can point me to on how to set this up? I plan to make a home server for testing, but I'll need to migrate it to a commercial server with static IP at some point.

Check out dFenz on Google Play, Windows, or Mac:
Back to top
Profile PM Email Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 23rd Apr 2013 23:53
Link
Using there name in your App is not necessarily a bad thing. It is good to refer to the user by name. But store it locally with the game. Or get them to create a player name for your app and use that.

Personally, I don't want to see my Facebook name in a game or app, unless it is Facebook. That feels too much like something is using information that it doesn't really need.

I feel perfectly comfortable creating a name for an app (or group of apps, like forums where I almost always use "Ancient Lady").

As for setting up your db and stuff, it's all in the programming. You will need a variety of files on your server that accept input from your app and then return data (in the form of a string that can be however long you want). These are not pages seen if someone visits the web site.

I can't think of any specific reading. I've been designing and coding for more than thirty years now and added MySQL and PHP and basic web stuff to my skills about 10 years ago. So, I've been just learning as I go.

Some of the books I do keep as reference are in the O'Reilly series (www.oreilly.com, one of the better producers of reference material). They have one titled "Learning PHP & MySQL" which should give you the basics of those two tools. They are most likely the ones that you will use because they are available at just about every hosting outfit and they don't cost you a dime. And you can install them easily on your home computer (Windows, Linux or Mac). They also have one titled "Web Database Applications with PHP and MySQL". They also have a lot of other books they sell that they don't directly publish themselves.

The database I use to store the a player's game stats (if they choose) is also the one that I get the high scores from for the leader board on my game web site. My app allows the player to view stats for all the games played on his device, or stats that he elected to submit to the server, or the leader board. And all are served by the same database (except the local scores).

When testing on your home server (as I do, before anything gets to my live server), you will need to be able to have a static IP address on your box so that you can use it in the URL for testing on your devices. Unless you do all of your testing on the one computer and then you can just use 'localhost' as the domain.

When you are ready to set up with a commercial server, I would recommend the one that I use and that I successfully recommended to several clients. I would guess that you would be interested in one of their shared hosting plans (which do allow for fixed IP addresses). (The link I used is a 'referral' link. If you use it and then sign up in the same session, I earn about $20 for the referral.)

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 24th Apr 2013 01:29
Link
Awesome, thanks! I'll be keeping this info with my new design docs, so you'll get that referral
I've used O'Rielly books before, they're great. Maybe I'll snag that book. I can't imagine it is overly difficult, but, again, it's new to me.
Cheers!

Check out dFenz on Google Play, Windows, or Mac:
Back to top
Profile PM Email Website
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 1st May 2013 21:54
Link
Working on setting up a test environment for PHP/MySQL for my next game. I'm not sure why setting up MySQL with PHP has been difficult for me because it seems pretty straight forward. I had to give up and get XAMPP which I sort of wish I had started off with...

XAMPP seems like it is light on security, but I think I can set up security measures anyway.

With jaguar do I have to set up all of this stuff on the server myself?

What's your setup like?

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 1st May 2013 22:25
Link
With JaguarPC, all these bits are set up automatically (the basic PHP and MySQL anyway). Pretty much any hosting outfit that supports PHP/MySQL (and most do these days) will have them already set up for you and should have interfaces that let you do things like add databases and manipulate them. I know JagPC does. And they set up things like PHPMyAdmin (one of the better web based MySQL admin tools) in such a way that you can access it, but others won't know how to get to it. The path is never something visible to someone parsing your domain. A very nice security feature.

I have a VPS (Virtual Private Server) with JagPC and it came set up with everything. Now I manage the updates to it myself, so that I have control over versions. I have several domains and sub-domains that use PHP/MySQL/Javascript to do lots of things.

On my main site, I have a page that shows my basic working setup in my office. The Linux/PHP/MySQL versions on my VPS are kept up to date with the current stable versions. My home boxes are updated periodically to keep up to date with my clients' configurations.

If you look at www.triassicgames.com, you can see what my leader board for my (almost done) WIP looks like. It is active already and works with my testing. The site is also already working with adding new users for my game and is ready to handle multiple games. I've been doing PHP/MySQL for almost 10 years now and do have a background as a professional software/database being.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Phaelax
DBPro Master
21
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 1st May 2013 23:08
Link
Quote: "I don't want the user to have to create a password for the game, but I want to make sure that their FB login is unique."

Shouldn't need to create a password as long as they successfully login to their FB account through your app you should be ok. Store their email address as a unique identifier.


Quote: "Using there name in your App is not necessarily a bad thing. It is good to refer to the user by name. But store it locally with the game. Or get them to create a player name for your app and use that."

I second that.

I've dealt with FB login before through PHP. Can't say I really care for it.

"You're all wrong. You're all idiots." ~Fluffy Rabbit
Back to top
Profile PM Email Website
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 1st May 2013 23:20
Link
@Ancient Lady - thanks! I'm sure I'll continue to pick your brain. I figured the servers came with a setup, but when I looked at the packaging items I didn't see any options for PHP/SQL etc.

@Phaelax
I suppose that's true and what I can do in the database is just have fblogin as the password. Seems simple enough.
I want them to be able to look at their friend's list and invite them to games so FB integration is sort of necessary, but I might not rely on FB login to be logged into my app... just want to make it easiest on the user.

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 1st May 2013 23:42
Link
@Naphier, if you go with JaguarPC, make sure to pick a Linux based plan (more secure). All of their plans have PHP and MySQL. And I am happy to help people with all sorts of stuff, as long as I have the time.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 1st May 2013 23:44
Link
Will do! And thank you! I promise not to bug you much!

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Auger
12
Years of Service
User Offline
Joined: 21st Aug 2011
Location: Out There
Posted: 2nd May 2013 05:05
Link
I*'m in the early stages of doing the exact same thing. My thought was to store the Users_ID in a database. which you get from string FacebookGetUserID()


That number is unique for every facebook user.

Auger
Back to top
Profile PM Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 2nd May 2013 17:05 Edited at: 2nd May 2013 17:31
Link
@Auger, I would be very careful about storing Facebook user names and ids in a database on a server.

As I've mentioned before, storing that locally on the device running the app is a better method. Generate your own id for the user and store that in both your database and on the device.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 2nd May 2013 17:14
Link
@Ancient Lady - I'll likely use some sort of key to generate a user ID that is stored on the server. I see no reason to store their actual FB name on the server.

One thing that might be a big deal is I see that notifications are still only available for iOS according to the docs. Is this true?

And another thing is: How do you handle getting a notification to someone if they have terminated the app? I see that games like WordFeud stay in memory, but it appears as though AppGameKit apps do not stay in memory.

I've heard of Android Cloud 2 Device Messaging which handles this, but not sure if TGC plans to implement this method or if something similar is done with iOS. C2DM seems like it might require some extra server scripting, but to develop any app with notifications it seems like something like this would be necessary. Otherwise you have to write your app to always stay on and constantly check for notifications... that would kill any battery!

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 2nd May 2013 17:33
Link
@Naphier, I was responding to Auger and should have specified that (just edited post to fix this).

As for the rest of your post, I don't have a clue (not actually working for TGC).

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Auger
12
Years of Service
User Offline
Joined: 21st Aug 2011
Location: Out There
Posted: 3rd May 2013 05:28
Link
@AL I'm just at the beginning stage, I'm still working out the data structure I'll need. I might have a look and store a number based off the FB_id. Is your concern that the data might be compromised?



Auger
Back to top
Profile PM Website
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 3rd May 2013 05:36
Link
I believe it is more of a concern of compliance with FB policies
https://developers.facebook.com/policy/
Which basically says you can store the ID, but don't share them.
Which means if someone hacks your database full of FB IDs then you could be liable. Not to mention the PR nightmare it would cause.
If your database is full of useless information then no one will care.
I'll be masking the IDs and the rest of my data with some sort of homebrew encryption. It'll look like garbage without the key.

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Auger
12
Years of Service
User Offline
Joined: 21st Aug 2011
Location: Out There
Posted: 3rd May 2013 07:28 Edited at: 3rd May 2013 07:29
Link
Good point. I'll probably do the same, at least then you'd have a bit of security in place. I think the only thing I'll be saving anyways is just the ID ... since that is the only unique id that FB uses. No use wasting database space on the name when I can just get it at run time .


Auger
Back to top
Profile PM Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 3rd May 2013 16:25
Link
Auger, I don't know if the AppGameKit function for getting a Facebook user's name gets it from their device or goes to the internet.

If it goes to the internet, and you always get the name when the game starts, that would require that your customers always have internet connectivity. And you shouldn't assume that is the case. Like on airplanes.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 3rd May 2013 16:32
Link
Another issue to think about is what happens if they uninstall and reinstall the game or get a new device. Players expect to be able to pick up their info from "the cloud" quite a bit anymore.

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 3rd May 2013 17:18
Link
That is the rub.

I have my user enter a user name the first time they play, and it tries to connect to the internet to check/store the name. If the internet connection fails (and the only way to tell is a timeout), they play as 'Guest' and their scores are stored locally. If they can connect, and they are doing a reinstall, any stats they've opted to upload will be restored to their device. They will also get their 'highest level' value returned and stored (this enables which levels they can play).

If they are playing as 'Guest', the next time they start the game, they will get asked to create a user name.

That first internet interaction is the only one that is really needed. Unless they want to upload their game stats (option at the end of any successful game) or view the leader board.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 3rd May 2013 18:26
Link
I've got some security questions:

I think I'd like my webpages to only be accessible via username and password.
The problem is that I don't know how I'd send the username and password to the website to allow access. I imagine there is a way to do it by URL, but I'm not sure how. I understand how to send data to a PHP script via URL and GET.
Another issue is, won't sending the password by URL be open to exposure? Is it possible for something/someone to intercept that HTTP command?

Another option would be to leave the webpages unsecure and only allow access to the database via password (which I think I'd do anyway). So I'd either have to have the password in a PHP file that updates the database (which seems like a big mistake especially with the webpages openly accessible) OR I'd have to pass the password to the PHP script via URL which also seems like it could be open to issues.

Thoughts?

Thanks!!

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 3rd May 2013 18:52
Link
If you have an SSL certificate on your domain, and connect via https, then things sent will be encrypted. The SetHTTPHost command has a flag that allows you to indicate that it is a secure (https) connection. And it also has fields to add user name and password.

There are also things you can do on your web site that prohibit anyone (in theory) from accessing designated paths. This lets you put PHP code in place that your app accesses that is not accessible to a web browser. I haven't actually tested this with AppGameKit apps, but it should be doable. And I just checked my access logs to see what shows up with an AppGameKit connection. So, I could help you (and anyone) come up with rules for your .htaccess file.

You absolutely need your database password protected. Anything else is simply not secure. And there are ways to store the db access information to protect it.

What pages would you want user name secured on your visible website? I would imagine that you would keep the interaction from within the app itself.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 3rd May 2013 19:01
Link
Also, browsers will not actually see the contents of your PHP files on your site. They actually only see the generated html output, not the raw script files.

Your PHP files are only vulnerable to someone hacking into the server and seeing the physical files or installing scripts that will send them the files.

If you go with a shared hosting account, you are somewhat dependent on the security measures of your hosting provider. JaguarPC is pretty good about security.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 3rd May 2013 19:12 Edited at: 3rd May 2013 19:32
Link
The SSL answer helps.
I don't want anything visible on the website actually.

So basically if I put my PHP files in a secure directory no one can get to them without cracking the password for the site.

The SetHTTPHost command allows me to send the credentials. Excellent!

And if I'm under SSL then I don't need to worry about anyone intercepting the HTTP commands that are sent to the site from the app.

Quote: "Also, browsers will not actually see the contents of your PHP files on your site. They actually only see the generated html output, not the raw script files.
"

Is the output that is received by AppGameKit the HTML that shows?


Quote: "Your PHP files are only vulnerable to someone hacking into the server and seeing the physical files or installing scripts that will send them the files."

Basically that's all I'm worried about.

Quote: "If you go with a shared hosting account, you are somewhat dependent on the security measures of your hosting provider. JaguarPC is pretty good about security."

Very good to know.


So here's my plan at the moment:
Set up SSL and use SetHTTPHost to log in

Data is sent to a PHP GET script via URL which requires the database password to also be passed via URL. I'm still not sure if passing the db password via URL is better than storing it in the PHP script. Or is there essentially enough security measures that it doesn't really matter.

Data sent from the app is encrypted by the app before being sent to the database. This way if someone does hack in and steal the database it appears as garbage.

That provides 3 levels of security. Which I'd feel really comfortable about.


Another question:
I'm trying to find out how to force logout the HTTP connection. I've tried:



But it doesn't seem to be working since I still have access after running it...

EDIT
Nevermind the logout question. I've solved it. Just try to force in new credentials or use another call to login like this:

The issue is that Chrome likes to remember the credentials even after invalid login credentials have been sent... I don't think this will be a problem via app.

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 3rd May 2013 20:16
Link
Quote: "Is the output that is received by AppGameKit the HTML that shows?"

Whatever you output using the 'echo' command will be returned in one big string.

Quote: "Data is sent to a PHP GET script via URL"

Actually, the SendHTTPRequest command uses the POST method which is more secure since the arguments sent do not actually appear in any log file (not added like 'http://somedomain.com/somepage.php?somevar=somedata').

As long as your encryption is pretty good, then it is safe in the database. And as long as you don't want to use any actual web or PHP to display the data, you can use methods not done in PHP.

Quote: "I don't think this will be a problem via app."

Correct, since there is no session involved in the same fashion as appears in a browser.

Just for extra paranoia, do not use any variable names in your post data that actually are what they are (and you won't be using the $_SERVER variables for storing/processing credentials). Do NOT pass a password in a variable named password, for instance. Just in case someone actually has managed to crack your SSL and is listening on the line.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 3rd May 2013 20:46
Link
That's not extra paranoia. That's just smart!

Thanks for all this help!
I'm now working up the PHP and AppGameKit code for a little chat program since my game will need that feature.

I do wish notifications worked for Android though.

Have you (or anyone else who cares to comment) used notifications in iOS? I'm wondering how they work. Does the app need to stay in memory or is the notification pushed by something like Google's Cloud 2 Device Messaging (C2DM)?

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 3rd May 2013 20:51
Link
I have not used any of the notification bits (or anything else in v108+) yet.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 3rd May 2013 20:55
Link
Thanks. I started a new thread on that topic to see if anyone else knows.

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 9th May 2013 05:03
Link
@Ancient Lady -
Did you happen to get a chance to check to see if my issue with Android using login credentials with SetHTTPHost to get access to secured folders is due to my server setup or is a bug?

I know you're busy, so I'm not expecting that you've done so, but just wanted to check in case you've forgotten
I appreciate all of your help!

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Ancient Lady
Valued Member
20
Years of Service
User Offline
Joined: 17th Mar 2004
Location: Anchorage, Alaska, USA
Posted: 9th May 2013 16:56
Link
Sorry, I got sidetracked with one of my own issues.

Which thread did you show some of the code that you were testing for that in? I know it was around somewhere.

Cheers,
Ancient Lady
AGK Community Tester and AppGameKit Master
Back to top
Profile PM
Naphier
13
Years of Service
User Offline
Joined: 2nd Oct 2010
Location: St Petersburg, Florida
Posted: 9th May 2013 16:59 Edited at: 9th May 2013 16:59
Link
No worries. I couldn't find the thread either.
It is also in the Google Code project house:
https://code.google.com/p/agk/issues/detail?id=551&sort=-id

Thanks!!

Napland Games Facebook Twitter Blog
Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2024-05-07 00:00:42
Your offset time is: 2024-05-07 00:00:42