Vetting The Source of RPCs

edited August 2011 in Photon Server
I need to be able to trust, at the very least, the validity of the identity of a server-authorized (login/pass) peer. I assume this is already handled when a connection is established and a peer is created (The server is then keeping track of the identity of that peer) but my head is kind of swimming. Can I simply use an Actor's associated avatar.ID (server-side) for incoming operations and trust that it can't be spoofed so long as I don't actually trust information from operation parameters?

Hope this makes sense - not getting much sleep lately.


  • I think you should implement a "authorize" operation for a peer. This should verify a session id or username/password with some DB and could be called encrypted, if you want to. Until someone is authorized, deny critical operations for this client.
    After that, you can be pretty sure that the client is the same. We identify connections by the ip:port pairs (of client and server), so this is relatively safe. If anything security-related should be done, encrypt the operation - the exchanged keys make sure it's either the "right" client or it's refused (as not de-cipherable).