Hi,

I am creating a website that allows users to login to their gameserver remotely and send / receive commands. The connection happens via an UDP socket and requires simply the IP of the gameserver, and a password.

On my website, users can add servers to their accounts, where the server IP and password are stored in a database. Then they can connect to any of their servers, which creates a new Socket object and connects to it using the IP and password of that server.

This Socket object, embedded in an object that also stores the server IP and password, is stored in a Session variable when the user connects, and is retrieved on every page. For example, there's a page where the user can view a list of the players on the server (and kick/ban them), a page with server settings, a page with messages, etc. All these pages require the Socket connection to get their information (they send a certain command and parse the response).

When I need to send a command via the socket, I need to send the password of the server each time (otherwise it does not work).


My question now is: how secure is this? The password of a server is sensitive information*, but I am storing it in a session variable and sending it (using the Send command of the Socket object) to the server.

Could the password possibly be intercepted by someone? I think the Session variable is stored on memory on the server, so I don't think so, but I'm really unsure about these kind of things and I'd like to be certain that my website is secure. Well, I think it will never be 100% secure but I want it to be at least not worth the effort for someone to hack the password. If it takes a lot of trouble then people wouldn't bother, but I don't want to find out that people's passwords are being thrown out on the street (so to speak) and that my website is completely insecure...


Thanks for any info!

* It is not extremely bad if someone would get a hold of it, one can simply reinstall their server to reset the password and no harm done, but I would still like to avoid 'hackers' getting the passwords.