I usually don’t make forum posts when trying to figure stuff out but this time I’ve really searched far and wide and cannot find any information regarding this that is suitable to me. I have a website with a login system and a mysql database and what I’m trying to do here is send or retrieve things from logged-in users only through the website, but how would I come about doing that?
What I’ve tried so far:
Making a request using the username and password to the url every time I want to retrieve or send data. But my worry with that is that it might be too heavy on the server, having to check the username and password for every single small request sent to the website? If that isn’t the case then I’d gladly use that method but if anyone knows any better method, then please leave any suggestions that you might have that I’m able to integrate using Godot 4.2.1.
Thank you!
I’m making the assumption you are working with HTTP requests in this context.
Take a look at Session and Token Authentication. Google around, but seams to be a pretty good write up here.
I’m not sure the extent that Godot supports cookies (I’m also not super familiar with what a cookie actually is, but seams to be important for session based auth). Edit: Turns out cookies are just a header, so both methods are likely possible, though I don’t have experience with either in Godot.
Godot does support setting custom HTTP headers.
Ah I see, the link you sent did actually explain it pretty well. And yes I am working with HTTP requests, I forgot to mention that in the original post.
If cookies are passed through the header would it be possible to receive that header information from the initial login HTTP request and pass it on in the header to the next HTTP request that requires a session id? I’m not really sure if it’s as easy as it sounds but I could give it a try and see how it goes. Thanks for the suggestion!
Don’t worry, database systems are much more powerful than we first imagined, a query like that is very simple. If the number of requests you receive is a problem, I assure you that that will be the least of them.
A simple option to optimize your first attempt would be to create a table of active users, every time someone logs in for the first time you add them to that table and delete them from it when the session ends, you validate the rest of the requests against that table and if once the first login is done you create a temporary password for that session, the better. We don’t want passwords stored here and there
Makes sense, I actually wasn’t sure at all if those queries would be a problem but I suppose they aren’t now that you’ve mentioned it.
If I understood you correctly, instead of sending around requests using the actual password every time I make a request that requires authentication I should instead use a temporary session password from that active users table that expires.
So I did some messing around last night, out of my own curiosity to get a better understanding of how cookies / sessions work.
Yes, that is exactly what happens, say for example you have a POST that is a login request, the response will have a header Set-Cookie that will contain information about the cookie and session id. Godot does not support cookies, but I went searching through github and found the topic new issue and old issue.
The old issue has an example (pretty sure the code is Godot 3.x and it wont be a perfect implementation into Godot 4.x) of how to parse that Set-Cookie value out and then you can save it how you would like. Then you should be able to just manually add the Cookie header back on future requests.
correct, the first check is done against the main user table, once the login is correct, you register that user in the active users table with a new random password and from that moment on, you forget about the main table and the original original password
if in the temporary users table the userid is an unsigned smallInt and indexed as unique, that query will fly
You do not need to use its original identifier, you can create a new one and in another field you already relate it to the original, but you perform your SQL query with the new one
Perfect, I get it now. It shouldn’t take long to implement this, it’s also a lot safer than sending the real password around all the time. Thanks for the help!
I tried working on this method but cookie handling seems to be a bit more difficult in Godot than I anticipated. I’m still going to look into it later though just out of curiosity but using an auth-key method works as well.