func handleLoginLogin(loginConfig *loginConfigDef, res http.ResponseWriter, req *http.Request, userName string, password string) { var loginData loginDataDef var gkErr *gkerr.GkErrDef var gotError bool loginData.Title = "login" loginData.UserName = userName loginData.LoginWebAddressPrefix = loginConfig.LoginWebAddressPrefix if loginData.UserName == "" { loginData.ErrorList = append(loginData.ErrorList, "invalid user name") loginData.UserNameError = genErrorMarker() gotError = true } if password == "" { loginData.ErrorList = append(loginData.ErrorList, "invalid password") loginData.PasswordError = genErrorMarker() gotError = true } var passwordHashFromUser []byte var dbUser *database.DbUserDef var gkDbCon *database.GkDbConDef if !gotError { gkDbCon, gkErr = database.NewGkDbCon(loginConfig.DatabaseUserName, loginConfig.DatabasePassword, loginConfig.DatabaseHost, loginConfig.DatabasePort, loginConfig.DatabaseDatabase) if gkErr != nil { gklog.LogGkErr("database.NewGkDbCon", gkErr) redirectToError("database.NewGkDbCon", res, req) return } defer gkDbCon.Close() dbUser, gkErr = gkDbCon.GetUser(loginData.UserName) if gkErr != nil { if gkErr.GetErrorId() == database.ERROR_ID_NO_ROWS_FOUND { var passwordSalt string password = "******" passwordSalt = "abc123QWE." // make it take the same amount of time // between no user and invalid password passwordHashFromUser = sec.GenPasswordHashSlow([]byte(password), []byte(passwordSalt)) loginData.ErrorList = append(loginData.ErrorList, "invalid username/password") loginData.UserNameError = genErrorMarker() loginData.PasswordError = genErrorMarker() gotError = true } else { gklog.LogGkErr("gkDbCon.GetPasswordHashAndSalt", gkErr) redirectToError("gkDbCon.GetPasswordhashAndSalt", res, req) return } } } if !gotError { passwordHashFromUser = sec.GenPasswordHashSlow([]byte(password), []byte(dbUser.PasswordSalt)) gklog.LogTrace(fmt.Sprintf("dbUser: %v fromUser: %s", dbUser, passwordHashFromUser)) if dbUser.PasswordHash != string(passwordHashFromUser) { loginData.ErrorList = append(loginData.ErrorList, "invalid username/password") loginData.UserNameError = genErrorMarker() loginData.PasswordError = genErrorMarker() gotError = true } } if gotError { // for security, to slow down an attack that is guessing passwords, // sleep between 100 and 190 milliseconds time.Sleep(sec.GetSleepDurationPasswordInvalid()) gkErr = _loginTemplate.Build(loginData) if gkErr != nil { gklog.LogGkErr("_loginTemplate.Build", gkErr) redirectToError("_loginTemplate.Build", res, req) return } gkErr = _loginTemplate.Send(res, req) if gkErr != nil { gklog.LogGkErr("_loginTemplate.Send", gkErr) return } } else { gkErr = gkDbCon.UpdateUserLoginDate(dbUser.UserName) if gkErr != nil { // this error is going to be logged // but the user is not going to be redirected to an error // because they are going to be redirected to the game server // and it is not critical that their login date be updated. gklog.LogGkErr("_loginTemplate.Send", gkErr) } var gameRedirect string gameRedirect, gkErr = getGameRedirect(loginConfig, loginData.UserName) if gkErr != nil { gklog.LogGkErr("getGameRedirect", gkErr) return } http.Redirect(res, req, gameRedirect, http.StatusFound) } }