Home/ Questions/Q 7943711
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T00:21:05+00:00

I have a (client/server communication) setup right now like so: 1) Client asks user

  • 0

I have a (client/server communication) setup right now like so:

1) Client asks user for username and pass

2) Client send this to server using port 80 (over the web)

3) Server responds saying whether this is the right password (correctpass/wrongpass) and if it is correct, it will send an encryption key to the client.

4) Client sends a series of commands to the server (all commands start with the encryption key that the server gave to the client).

5) Server checks the encryptionKey to identify the client and responds to the commands

My question is:

Is this the right way to keep things secure? I am not sure whether sending a single encryption key back and forth is going to do any good. Would it help more to have the client generate an encryption key and have the server verify it?

What I want to do it have something like what facebook does to authenticate it’s apps. For example, I can imagine that facebook does something to prevent me from stealing the raw password through a program like wireshark or a tcp analyzer.

If it matters at all, my program is written in c# and uses standard http to send/receive data.

Thanks,

Rohit

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To keep most of the things you are doing the same you can simply change your steps to

    1. Client asks user for username and pass

    2. Client establishes a SSL connection to the server.

    3. Client sends username and password over SSL connection.

    4. Server responds saying whether this is the right password (correctpass/wrongpass).

    5. Client sends a series of commands to the server (all commands are sent through the same SSL connection that was used to send the password).

    The server does not need to keep re-verifying the user’s identity every message, as long as you are using one continuous connection the SSL layer does all of that work for you invisibly behind the scenes.

    On another note, Facebook does nothing like what you are describing, they use OAuth. Here is a basic example of how OAuth works (from yahoo’s developer page)

    enter image description here

    So you do step 1 once per application as you write it, steps 2-4 get done once per user to associate the application with their account, then you only need to do step 5 until the token received in step 4 expires (could be anywhere from hours to days, depends on the site). Once the token expires you just need to repeat step 4 (or if that fails, steps 2-4) and the user can use the program again.

    Step 3 is where they enter the password information, but note that they are entering their password on Yahoo’s website, so your program never gets to touch the user’s username and password (that is the entire point of OAuth!).

    • 0