Passwords with special characters break login process

My password has a question mark in it. When trying to log in, it says incorrect username or password. I checked the file most of your replies say to refer to, and it looks like the question mark is being removed from the request.

I’m not sure what other characters would break this, but I’m going to assume you’re not URL-encoding your password strings, so characters like %, &, and \ are also going to be affected.

I’m also concerned that you’re sending these login requests using our un-encrypted passwords (as I see the request URL with my plaintext password as a parameter in the output_log.txt file).

2 Likes

Relevant output:

(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)

OTHER ACCOUNT LINK ERROR

(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)

LINKING ACCOUNT TO STORE ID

(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)

Got back account link response

(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)

404 Not Found

(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/DebugBindings.gen.cpp Line: 51)

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /linkaccounttostore/<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data cfemail="7002051212111a1515000a30171d11191c5e131f1d">[email&#160;protected]</a>/MYPASSWITHOUTQMARK</pre>
<script data-cfasync="false" src="/cdn-cgi/scripts/af2821b0/cloudflare-static/email-decode.min.js"></script>
</body>
</html>

I am 100% sure that at the minimum HTTPS is used to send the password. So the password should be secure. Unless my lack of knowledge pokes a hole in this thought.

Okay you might be right here :confused:

Or not. IDK if you are talking about the login from the browser/website (or the game) and if the server is using ‘server logs’.

Thanks for pointing that out. I will get a fix out in a moment here to hopefully help with that.

Regarding the password security, I will definitely remove it from the output log like that, it was a debug message that just got left in on accident.

Sending it via SSL is perfectly secure, the only thing that StackOverflow post contemplates is that if you send it that way you might end up having it stored in a browser’s cache or history file, but that would not be relevant here. SSL encrypts the URL and parameters before submitting the request to the server. However, it is not secure to be logging the password to the output log like that, and as I said I will get that removed.

The good news is that you only login once, and the output log is overwritten each time the application starts, so other than the issue at hand there shouldn’t be a lingering problem.

Yeah, I’m willing to admit I don’t know too much about data transmission security. Just figured I’d point it out. Seeing your passwords as plaintext always gives you a weird feeling.

The major point was the special characters, but I was able to do a password reset to band-aid the issue for now.

Thanks for the quick response. Game looks great so far!

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.