Edited by: Wollari on 05/04/2011 12:18:10
I know the IGB headers can be faked and are not a trustworthy method to determine the users identity. Yesterday after playing around with paypal ipn (for something totally different), I thought the method used isn't that bad.The goal:
Add a serverTime + checksum to the IGB headers and create and API call that verifies the integrity of a given header.The checksum:
The checksum could be created over the given IGB Headers + a (daily/hourly changed) secret/salt. To enhance security the eve server could provide a character specific salt for a specific time period. Example, together when the igb fetches the list of black listed webpages. This way the salt isn't guessable.The verification:
The 3rd party site sends all received headers to the API server and the api server generate the checksum himself and compares it with the given checksum.No TQ/database needed:
If you verify only the given header data + checksum there's no actual TQ/Database access required which allows instant verification.Verification Flow:
// DRAFT SIMPLE IGB VERIFCATION with a header checksum+saltExample client implentation:http://pastie.org/1757995
the use of a secret salt isn't the best way, but it this prevents the api
server to query the database in able to verify the user. The goal is to create
a simple way to verify an ingame browser header for authentication and
location based services.
Idea was based on same method Paypal is using to verify the IPN (Payment
1) Ingame Browser Header Creation
add all default eve header
add HTTP_EVE_TIME = Current Server Time
add HTTP_EVE_CHECKSUM = HASH( <secretSalt> | HTTP_EVE_CHARID=12345 | HTTP_EVE_SOLARSYSTEMID=32456 | [...] | HTTP_EVE_TIME=(server time) );
2) Deliver Header to 3rd party website
* extract all HTTP_EVE_ headers and build new url string (in the same order)
* send data to API server via GET or POST to /eve/VerifyHeader.xml.aspx
3) API Server validates incoming headers
* HTTP_EVE_TIME must not be older then 5 minutes
prevent use outdated, sniffed, faked headers
* create HASH string of all incoming headers expect HTTP_EVE_CHECKSUM same
way the IGB did
* no database connection needed
* if HASH == HTTP_EVE_CHECKSUM return valid=true or false
4) 3rd party website saves verifcation state in session storage to avoid
verification of every single page request!
Sure the browser code could still be reverse hacked and people could be able to fake headers, but the entry level is set higher. So people can trust on positions to a certain degree for simple services.
Sure high level services still will require api access and more.
What do you think?
Before you ask: This method should never replace any kind of real security and user authentication stuff. I just adds checksum to the header for verification.