Not likely to become an issue while the game is this small, but it could at a later date as the game becomes bigger and people accumulate assets that become valuable real world (As in custom items, more items of the month, large amount of chips etc)
Basically you currently send the password from the login page to you verify page as plain text. This makes it vulnerable to traffic monitors. This is potentially an issue in school or college networks, or in large internet cafes. What a traffic monitor does is catch all packets (How info is sent over the net) that would be going to your verify page from the network where it is placed. This could then be sorted through to find usernames and passwords.
There are two ways around this. The first is a secure cert. All SSL communication is encrypted before it is sent, and then decrypted on the server. This can be server intensive and requires of course that you are paying for a secure cert.
The second message is utilizing what is called a challenge response method. This works as follows. Instead of sending a plain text username and password to the server, the login page first generates a unique single use challenge. When the person submits their information, this challenge is combined with their hashed password, and their username, and the whole lot is hashed. Then just the plain text username, and this hashed response is sent. This action is then repeated by the server and the hashes are compared. This means, should the traffic be intercepted it is pretty much useless. The hash will not be usable again because the challenge can only be used once.
There is a guide to implementing this system using SHA256 at
http://forums.devnetwork.net/viewtopic.php?t=38810 but it is fairly easy to implement it using any hashing system (Such as md5 or sha1)
This is the same system that Kol uses (This is why your password field blanks out after you hit submit there)
Login
Register
FAQ
Search
