Search Unity

  1. New Unity Live Help updates. Check them out here!

    Dismiss Notice

Is it secure to store the session_id received from php in PlayerPrefs?

Discussion in 'Connected Games' started by electro_unity, Feb 19, 2019.

  1. electro_unity

    electro_unity

    Joined:
    Nov 29, 2015
    Posts:
    54
    Is there any other more secure way?
     
  2. Joe-Censored

    Joe-Censored

    Joined:
    Mar 26, 2013
    Posts:
    7,769
    PlayerPrefs depending on the platform is just stored in clear text in a file, or stored in clear text in the Windows Registry.

    Literally any form of encryption or obfuscation would inherently be more secure, since you're comparing to no security.
     
  3. electro_unity

    electro_unity

    Joined:
    Nov 29, 2015
    Posts:
    54
    Thanks for your answer. Is there any secure way to encrypt that variable even if someone get access to the code with reverse engineering?
     
  4. Joe-Censored

    Joe-Censored

    Joined:
    Mar 26, 2013
    Posts:
    7,769
    Well the file or registry location is in a standard location, so there is no reverse engineering needed to find the data. There is also no way to prevent someone from going through your executable and figuring out how to decode whatever you save. All you can do is increase the skill level or time investment required to do so. There is no such thing as an entirely secure way to save data on the client using code you've placed on the client.

    I'd suggest researching the topic of local encryption for more information on the issues, as this isn't really a game specific topic.
     
  5. Zante

    Zante

    Joined:
    Mar 29, 2008
    Posts:
    375
    No one has asked what you're trying to achieve. Why are you storing the session_id in PlayerPrefs?
     
  6. drcrck

    drcrck

    Joined:
    May 23, 2017
    Posts:
    283
    What's the point of encrypting session_id?
    It's not a secret, it's easily accessible in a browser like any other cookie, because it's meant to be sent as plain text anyway.

    All security related to sessions should be server-side only. Don't trust the client.
     
  7. electro_unity

    electro_unity

    Joined:
    Nov 29, 2015
    Posts:
    54
    I'd like to store it anywhere on the client machine in order to avoid him to re enter his credentials each time he open the game.

    Yes, if the client server is compromised, all cookies are vulnerable. Hence I don't know if I'm trying to solve a problem "out of my jurisdiction".
     
unityunity