forgottenserver icon indicating copy to clipboard operation
forgottenserver copied to clipboard
verified publisher icon otland

Secure session tokens format (#4963)

Open gesior opened this issue 6 months ago • 0 comments

This PR is based on https://github.com/otland/forgottenserver/pull/4958 , because without it, it was very hard to test build-in HTTP server.

TODO

  • decide, if it's fine, that class SessionToken is in game.cpp / game.h - should it be moved to separate files sessiontoken.cpp and sessiontoken.h?
  • add migration that drops sessions table in database

Changes Proposed

Replace current TFS session tokens algorithm with new version that:

  • does not use database
  • detects when password to account changes
  • has optional IP validation (default false, in config.lua: sessionTokenIpVerification = false)
  • has configurable expiration time (default 30 days, in config.lua: sessionTokenExpirationTime = 30 * 24 * 3600)
  • uses SHA-256 sign to detect token modification with configurable secret sign key (default "" [empty string], in config.lua: sessionTokenSecretKey = "")
  • works with PHP acc. makers (MyAAC, login.php that works with MyAAC: https://gist.github.com/gesior/6fb7e194a1aedb7980e98399bcca628d ) - I will make PR to MyAAC after this PR is merged into TFS

gesior avatar Jul 08 '25 21:07 gesior