World Auth?


I understand how the client is authenticated using SRP by the Realm/Auth server.

Could anyone explain briefly how the world server authenticates the client?

I’m having a little trouble understanding the code, but it looks like the relevant method is WorldSocket::HandleAuthSession() - specifically, it’s checking that the key and account name are the same on both client and server using a ‘seed value’ supplied by the client. Not sure what this is?

Any help is really appreciated!



Google: “SRP6”


I’ve read the SRP6 documentation and also been in contact previously with the author of the protocol.

I don’t think the world server is using the SRP6 protocol, this is done by the authentication server. I can’t see exactly what the world server is doing to validate clients, but it isn’t part of the SRP6 protocol as far as I can tell. It seems to be sending a ‘seed’ value of some sort, and then receives a ‘seed’ back from the client - after which is hashes the seeds and the symmetric key?

Does anyone have any ideas? /emoticons/default_smile.png

Only the auth server handles the login process. World server has to assume that the logged in client is valid.

Anyways you cant login with an invalid session, the sessionkey that is generated on the SRP6 auth process is used by the worldserver to encrypt the packets, so if you dont have the original one (aka, your client succesfully passed authentication and generated the same key as the server) you cant do anything /emoticons/default_smile.png

That’s a good point, thanks.

After a little more digging, it looks like both the client and world server are calculating a hash of a random client seed, a random server seed and the session key. The server seems to check the client’s hash is the same as it’s own, and then proceeds.

Thanks again /emoticons/default_smile.png