Login

For a client to be able to join a server and select a character, it first has to login through the login server and set up a session key. This session key will be used later to secure (in a very weak way) the messages between the world server and the client. The authentication is made with the SRP protocol.

Login message exchange:

1. Client asks for a login challenge by sending its build number and account name
2. Server sends SRP authentication data
3. Client sends SRP proof
4. Server accepts this proof and send its own, or reject and close the connection

When the client is accepted by the server, it can send reconnect challenges to keep connected with the same session key.

1. Client asks for a reconnection challenge with the same data as login challenge
2. Server sends a reconnection challenge (16 random bytes)
3. Client sends proof data with its own client proof
4. Server accepts or not this proof.

To check the client proof, the server has to SHA1 the concatenation of: the account name, the proof data received, the reconnection challenge and the session key. This hash should match the client proof received to be valid.

It's worth noting that, for build 4125, the client automatically disconnect after a successful login challenge and proof exchange and sends a reconnect packet right away instead of asking for the realm list.

External resources about SRP and how to implement it:

• SRP6 RFC
• Wikipedia page
• The network packets for logging in can be found here.