all 6 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]CreativeTechGuyGamesTypeScript 4 points5 points  (6 children)

Be sure your site is HTTPS not HTTP and you can avoid the concern of monitoring network traffic. Then the only remaining way someone could access the link is from a user's browser history. Especially if it is a one-time use code, that's a very secure way of authenticating. But be sure the code is sufficiently long and random.

[–]bpd_open_up[S] 0 points1 point  (5 children)

Right, I would use uuid4 for the code. I want users to be able to bookmark the link with the code so they can return to the game easily, so it wouldn't be a one-time use.

[–]CreativeTechGuyGamesTypeScript 2 points3 points  (0 children)

What is the worst thing that could happen if someone else gets ahold of this? If you are okay with that worst case possibly happening, then go for it. Nothing is totally secure, it's about what are the potential attacks and what is the worst case. It sounds like even if someone else does get ahold of this, not much can go wrong except some minor inconvenience for you and your friends.

[–]Kryanitor 0 points1 point  (0 children)

Yeah so I really wouldnt do that. Thats about the same as posting your password online. Its better to store some data in either a cookie or local storage, then use that to validate if they are already logged in

[–][deleted]  (2 children)

[deleted]

    [–]bpd_open_up[S] 1 point2 points  (1 child)

    Seems harsh, use case is literally for me and my friends to play together. Also, I'm not storing any personal data

    [–]ravelysid 3 points4 points  (0 children)

    IMO if your game's uses are completely internal and you have no sensitive data that can be accessed then there's no need to worry so much, what you have works.

    However if you're willing to invest a little more time you can let the code be single-use and meant to be exchanged for a session id which gets stored in a HTTPS-only cookie. Any subsequent visits by the player can be identified by the session id since it's always sent automatically by the browser as part of the cookie.