[sldev] [AWG] realXtend login process for distributed virtual worlds

Argent Stonecutter secret.argent at gmail.com
Mon Mar 17 06:21:41 PDT 2008

Previous message: [sldev] [AWG] realXtend login process for distributed virtual worlds
Next message: [sldev] [AWG] realXtend login process for distributed virtual worlds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2008-03-17, at 07:42, Jani Pirkola wrote:
> 1: The user enters username and password to the viewer, the viewer  
> contacts authentication.org with username and password.

Over an SSL connection I hope, or the user sends a time dependent nonce.

> 2: authentication server sends back a disposable random hash (the  
> hash is valid for only 2 minutes)

And only once.

> 3: The viewer connects to a world (e.g. http://www.exampleworld.com: 
> 9000/) and sends the username (e.g. user at authentication.org) and  
> the hash

If the hash is replayable, then exampleworld.com can now use the same  
hash to log into expensiveworld.com as the same avatar.

Possible solutions, if you want to allow the hash to be replayable,  
would be to include the domain of the world the user wants to log in  
to in the information the viewer sends to the authentication server  
to be included in the hash, or the hash contains the address the  
connection came from.

Previous message: [sldev] [AWG] realXtend login process for distributed virtual worlds
Next message: [sldev] [AWG] realXtend login process for distributed virtual worlds
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list