Open clach04 opened 11 years ago
clach04
commented
11 years ago Stealing other anon player names is likely to be difficult to address unless we add some dumb password option (easiest option is likely to be to no allow anon users and use oauth).
Blocking anon users from impersonating Django registered users is feasible and should be done.
phildini
commented
10 years ago This is still partially applicant. Two anonymous users can have the same name, and if you choose the same name as a player you get the same session as the original player.
One fix could be to check the names of existing players in the lobby view form confirmation.
clach04
commented
10 years ago I'm tempted to leave this as-is. This is a compelling reason to log in :-)
It is no longer possible to hijack registered users since cb3d2fc.
One example scenarios where this is useful; Anon user playing a game, device dies (e.g. battery dies) and they switch browsers. Allowing them to connect would be desirable in this situation.
Anon users can impersonate other anon users as well as logged in users, simply by entering in the desired name to "steal" when joining a game.
Right now this is useful for debugging ;-)