Account verification on the masterserver (mapsharing, etc...)

You have suggestions or want to give feedback to the game or the forum? Post it here!
Post Reply
User avatar
Lewa
Site Admin
Posts: 157
Joined: Sun Nov 15, 2015 1:24 am

Account verification on the masterserver (mapsharing, etc...)

Post by Lewa » Sun Jun 05, 2016 11:19 pm

Now, i did run into an issue which i haven't been able to resolve (fully) as of yet.
I thought that i'll make this public and explain my thoughts and design decisions of the user verification system on the current server design.

As some of you might know, i plan on running a master-server for Celaria which will handle tasks as map leaderboards, player statistics and mapsharing.
One of the biggest things which i wanted to make sure is that personal user data is secure. (No one wants his own data getting compromised.)

In order to avoid this problem altogether, i decided (at least that is the current plan...) to not use any kind of personal user data for account-verification on the master server.

This means that the game will automatically register a users SteamID (once the game is on Steam) on the server and give the user a unique "Password" which will be used for login purposes (on the game client and on the website for the master-server.) Players can also generate a new password from within the game client. (Yes, passwords are automatically generated. This makes sure that no one gets the idea to use his email password for the in-game account.)

This allows the server to verificate users without giving away any personal data.

Now, the issue here is that due to non-existing personal data, i can't quarantee that someone (if he finds a way) is able to log-in into other users accounts. Users will still be able to reset their accounts password (even if someone other logged in and changed it) but this doesn't mean that they could't gain access to other accounts again.

To minimize the risk of unouthorized users altering data (especially of custom maps) i though about the following rule:
-> Once a user uploaded a custom map onto the master server, he/she will be able to delete/alter the maps information within 12-24 hours. (or even delete the map.) After that the data will be "frozen" and no one will be able to altered/change or deleted the map from the server.
This makes sure that maps can't be deleted from the server anyomore, even if someone (successfully) loggs into other users accounts.


So basically, this system does make personal user data 100% secure (by not storing anything of that at all. :P) but this goes at the expense of verification/account security.

Not sure if i'll stick to this system or if i'll find an alternative. (Securing user data is at the top of my priority list.)

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest