Minilogin to public server? (i'll settle for the minilogin source code)

[Aerewen]

oh super...

so uh... i mean i get the whole security risk to all the EQEMU servers out there if the code was released... but then why not release 2 builds of it? one that uses IP address and 1 that uses the userid/password fields to authenticate?

The minilogin system doesnt seem like it's all that complicated... it accesses the mysql db, runs: SELECT * FROM `account` WHERE `minilogin_ip` = 'currentip'; or somethin similar to get the account info... if no result is returned it spits out the invalid account opcode to the client and resumes the process of sitting there being happy till the next client comes along...

wouldnt be all that hard to change it to selecting the row based on userid instead of minilogin_ip and comparing the password with the one returned...

or if we really wanted to be efficient... just select with both the userid and password... then u dont even have to change the rest of the code.

if the dev team is too busy to do it... then lemme know how to get in touch with em and i'll do it

[Aerewen]

actually after watching the minilogin and world.exe windows while logging in...

it seems minilogin doesnt actually check anything at all... you can connect to it from any computer with any username and any password and it allows you in...

world.exe actually checks your ip address against the database and gets your account information from that...

which is fine really... what we need to do now is change minilogin to check the user/pass and then modify the IP address in the database accordingly... this way a player has to actually have an account to play on the server, but the server will still compare by IP address to ensure that only 1 account per IP can be used (which i think is the way most server admins would prefer it... but I may be wrong)

If any of the dev's come through here and see this... any chance of a PM or something so I can help out?

[John Adams]

This topic has been beaten to death, and the only results you might get are terse "no" responses. Due to the securities issue, I am confident Minilogin.exe is as it is, forever. Might be one of the only things holding back SOE from swinging through here with a wrecking ball, is the devs refusal to release that source.

[Aerewen]

Nonono :P I'm not asking to release the source to the public...

I'm asking to join the dev team and fix it myself to release an updated binary to the public

IMO PEQ admins should have the ability to choose whether to base accounts on IP or login info... what happens when you have a family of former EQ-ers who want to play on a PEQ server? You have to politely, yet regretfully, inform them that the server only supports authentication by IP address, not by username/password... wouldnt be that hard to add a variable to the database to switch world.exe from checking IP to username/password, then world.exe and minilogin.exe can both read the variable and act accordingly.

minilogin checks IP, public login checks user / pass.

Thats the way it is, thats the way it will always be.

There are reasons for this, many of them, all already covered in threads just like this one.

[Aerewen]

when you say public login... you are referring to the login hosted on eqemulator.net right?

im suggesting the editing and release of a new minilogin so that users can host their own login server and not have to rely on eqemulator's login server for their connections

as it stands say i host a server on my home network... i can DMZ, set port forwarders etc etc etc till im blue in the face, but the eqemu server will still read incoming connections as 192.168.0.1 from the router... there is no way around it (trust me i tried :P) and i know there's gotta be a ton of people out there who have taken the time to learn eqemu, php, mysql, perl, and all the other stuff only to get the server running and *sigh* when they realize they cant play with 10 of their buddies at the same time because their router prevents it.

i just feel it would be worth the couple days of coding to release a minilogin/world.exe that checked accounts off username/password

i mean yeah i know the client software encrypts them before sending to the server... but it's not like we would be allowing people to edit the minilogin source to see the encryption used

Allowing anyone to host a login server is a bad idea for many reasons and will not happen.