Custom Login Failure Disconnect Time

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

albymack
Posts: 17
Joined: 09 May 2022, 21:17

Custom Login Failure Disconnect Time

Postby albymack » 18 May 2022, 17:35

I've implemented a customlogin in my zone extension following the examples. It works. My question is about what happens when the user password is incorrect.

I noticed on the client side, I get the login error thrown from the server with the error message pretty quickly. But the actual disconnect event that comes from the socket disconnecting doesn't happen until after some time (the server login timeout, which I left at default 30s).

Is this expected behavior? If so, doesn't this open up the server to DoS attacks? Make enough requests of the server with random passwords, and it'll eat up all the of server's socket connections since they don't get released for 30s? Is there a way in the custom extension to disconnect the socket connection sooner once it's detected they have the wrong password?

I do call disconnect from the client side to close the connection once I receive the login error. But malicious actors will not be nice about it.
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: Custom Login Failure Disconnect Time

Postby Lapo » 19 May 2022, 08:10

Sure,
if you're worried about this kind of abuse you could shut down the connection immediately.
At the same time I am not sure if it's the best approach for legitimate users. If I typed my password incorrectly I'd like to get at least another chance before being kicked out.

In any case what you ask can be done by calling:

Code: Select all

getApi().disconnect(sessionObj);

where sessionObj is the session object passed in the Login event.

Cheers
Lapo
--
gotoAndPlay()
...addicted to flash games

Return to “SFS2X Questions”

Who is online

Users browsing this forum: No registered users and 69 guests