Centralised authentication
Feature Suggestions
If you have suggestions for new features, post them to the forum, where developers and other players will voice their opinions on your idea. Only post them under Requested features if you have first started a forum thread, and definitely don't create a separate page unless it's under your user page.

A proposal by MarkR.


Why we need it

How authentication works now

We just have two passwords, one server password for creating a new company, and one for connecting to an existing company. Passwords are stored in memory on the server and sent in plaintext, in the clear.

The list server does not do any authentication on servers - the server name is not checked against IP.


Client decides it wants to connect to server X:


  1. . Client never sends username / password to OTTD server (as currently)
  2. . R1 value means that sniffing the session ID is useless, as another server will use a different R1 value
    (and indeed the same server will use a different R1 value if you connect again)
  3. . Man-in-the-middle attack is still possible unfortunately, by using a modified server which also behaves as a client and "passes through" the authentication. Once it's authenticated, this modified client can do a session-hijack.
  4. . In the interim, if we're super-worried about the security of passwords being sent in the clear/to server owners, it should be a relatively trivial issue to implement a quick salting & hashing system. For a game server this is probably overkill.
  5. . Also, wouldn't it be neat using OpenID? I totally fail to see how this would work, but it's an interesting thought.