I have created a matchmaking service for a 3vs3 UDK game. The teams are formed with a C# Web Api 2 backend, which communicate with UnrealScript's HttpRequestInterface.
When a team is formed, its players are brought into a lobby where they can chat, choose a character and ready up. These communications are achieved with .NET's TcpListener and TcpClient, and UnrealScript talks to the TCP server using its TcpLink class.
I am now having problem concerning both authentication and authorization. I am having problems figuring out how to identify users securely (their credentials are stored in a MySQL database), as UnrealScript TcpLink can not use an SSL stream. Let's suppose the players authenticate through the webservice first, how can I maintain (and keep secure) their identification on that TCP server?
Are there any candidates for that job? (HMAC, token based? Keep in mind that it's extremely low level TCP). If there's none, maybe I could try long polling HTTP instead of TCP sockets? Or should I just scrap the UnrealScript frontend entirely and replace it with a Dll using UnrealScript's DllBind?
I should probably also say that I tried to exercise myself at securing just the webservice, without much success after a lot of research and a lot of trial and error, so any information on that is welcome.