Automatic login (remember me functionality)

If you are developing a game using GameMaker Server, you are to never store or transmit user passwords (or hashes, or encoded variations). Not remotely, nor locally. Any violation of this will get your game banned.

If you want to add an automatic login (or "remember me") feature to your game, don't store the users' password somewhere! Instead, you can use authentication tokens. Authentication tokens are like one-time passwords that will only work in a single game. The token cannot be used to log in to the site, or change the password or mail address associated to the account. Using a token also means that someone's real password cannot be stolen by copying the file.

The server will always send an authentication token after logging in. You can intercept this token by setting a script:

gms_script_set_authentication_token_received(on_authentication_token)


In the on_authentication_token script, you can save the authentication token in any way you want. NOTE: Do not save it to the GameINI or a Binary Data Blob. Anyone can access those! For example, to save the token to a local INI file:

///on_authentication_token

ini_open("saved_login.ini")
ini_write_string("Data", "user"gms_self_name())
ini_write_string("Data", "token", argument0)
ini_close()


Now, before logging in you should try to log the player in using the authentication token. You can do this by calling gms_login_set_token instead of gms_login_set_password. If you used the example to save to a local INI file above, the login check would look something like this:

// Automatic login

ini_open("saved_login.ini")
show_login = false
if ini_key_exists("Data", "user")
{
    gms_login_set_username(ini_read_string("Data", "user", ""))
    gms_login_set_token(ini_read_string("Data", "token", ""))
    gms_login_execute(on_token_login)
} else {
    // Show normal login window

}
ini_close()
// In script 'on_token_login'

switch argument0
{
    case e_ok:
        room_goto_next();
        break;
    default:
        // Show normal login window

        break;
}


Essentially, we're just executing a login, and if it fails we ignore the error and show the login window. Note that the login might take a bit of time to process. You'll need to wait with showing the login window until on_token_login is called!

Replies (6)

Last message on 4 Apr 2020

PainiteOfficial on 27 Mar 2020, 13:43:33
I know it's a stupid question but where exactly do i have to write gms_script_set_authentication_token_received(on_authentication_token)?
First time i login it works well but the second time it just doesn't show the game room or the login screen.
Any help?? I checked the saved ini file and it looks to be ok, the token is stored there.
Size43 (Administrator) on 4 Apr 2020, 15:53:31
If the ini file has a token stored, you likely already have gms_script_set_authentication_token_received in the right place.

It's more likely something is going wrong when logging in using the token. Can you post the code you're using for that?
Forgeio on 2 Aug 2019, 23:13:28
Hey Size, I just wanted to let you know that the game Squire's Story Online saves passwords locally to an ini file. I'm not sure if that's what you meant by storing passwords locally, but I wanted to let you know in case it was a privacy violation, and so you could tell hatonacat to convert the system to authentication tokens if it was a violation.
Size43 (Administrator) on 10 Aug 2019, 22:02:45
Thanks for letting me know.

The game was released way before I added this feature, and it doesn't seem like it's actively developed anymore. If hatonacat starts working on the game again at some point, I'll contact him to ask him to change it over to the new system.
Cromemadnd on 23 Jan 2019, 09:27:28
...Why I use this in my game,it only worked for one time?
Size43 (Administrator) on 27 Jan 2019, 15:10:38
You get a new authentication token each time you use one, so you'll need to keep saving the new tokens that you receive.