how to pass user login info to a script in a secure way?

[jonasredant]

Hi,

I know this forum is for Trackmania 2, but for the older games there aren't many people
creating manialinks anymore or visiting that section of the forum...
I'm adding a simple poker game to my manialink (for Trackmania United Forever)
using PHP 5.2. This requires user login information to be passed to a PHP-script.

I can use the "AddPlayerID" attribute to pass the information in a link.
However this isn't a secure way to identify a user, because the user can
easily manipulate the link in the ingame browser. Is there a way to
pass the user login information in a secure way?

Greetings,

Jonas

[Cerovan]

You don't need to do it. Just use the manialib and the maniaconnect authenticator. ManiaConnect uses OAuth which will give to the player an access token to the application.

Once he's authentified, the player will be instanced in a Player class that you simply has to use

More info here: https://code.google.com/p/maniaplanet-w ... arted?tm=6

[jonasredant]

Does manialib work with manialinks for Trackmania United Forever?
Also, do I really have to use it? I wonder if it can't be solved with this:

"something ive found to work well is to use POST to send a variable to the next page when the button is clicked. if someone tries to modify the url and refresh the page, there wont be any variable posted, so u can deny access based on that. It doesnt matter what the variable contains as long as its not empty."

I've red this on a forum as a reply for a guy that has the same problem that I have. But I don't understand what he means...

[steeffeen]

maniaconnect is only for maniaplanet
you will have to use the trackmania ws sdk
https://code.google.com/p/trackmania-ws-sdk/
there seems to be a similar technology in the OAuth2 namespace but i've no idea whether it's doing what you need

the post variable thingy should be basically something like using a URL for a label that's similar to

Code: Select all

manialink="POST(http://xxx.com?check=true)"

that way is would be a POST request which can be checked in the php script, google it if you don't know how
Marcel summarised it here: http://forum.funtrackers.net/showthread ... 7#pid12427

no idea if this is even working in tmuf

@Cerovan: better post the up-to-date github link next time

[jonasredant]

I already tried with post, but script doesn't execute if ($delen == 1) {... anymore

Code: Select all

<quad posn="7 15 -32" sizen="19 7" style="Bgs1" substyle="BgList" manialink="POST(jonas?dln=1)"></quad>

$delen = $_POST["dln"];

if ($delen == 1) {

code here should be executed when user clicks the quad
}

[steeffeen]

well since your code block there contains only 2 small parts of the whole script it's hard to tell what's wrong
you will need to debug more i guess
maybe add a temporary label printing some information like the content of the following:

Code: Select all

$text = print_r($_POST, true);

[jonasredant]

I already did so, $_POST does not contain 1 when the quad is pressed

$delen = $_GET["dln"]; does work, but then the user simply can type the url

[steeffeen]

well maybe you can't pass POST variables like that, who knows
but validating that it's a POST request instead of GET should help you already