The point that he is trying to get across is that the Session ID's don't expire, and can be reused indefinitely. A simple "fix" would be to expire the Session ID's upon logout/dc.
-
10-11-2013, 11:53 PMWaraji
-
10-12-2013, 12:01 AMNeruMewTo improve the quality of service and security of their systems? Gee Idk... Why would we ever want to move forward and become better? OH MY!Quote:
Originally Posted by Bufkus
Because it's ridiculous that old sessions don't expire, not in any decent amount of time (and it should be upon disconnection). -
10-12-2013, 12:13 AMKisaiTenshiI wanted to call BS on this, but seems relaunching immediately let's this work. So to extend this theory, I launched it with a new session ID from the launcher and then launched the old session id at the same time... Error 3102 if I try to select the character that is logged in. However it lets me login to any other character.Quote:
Originally Posted by DragonFlyy
Welp, guess we just figured out how the spammers are able to assault the servers so quickly. Maybe SE can leverage that fact and add "expire all sessions on logout" -
10-12-2013, 12:14 AMTwiddle
Hey OP guess what.... tried to duplicate your test, it don't work. The session ID expires as soon as i logged out. Neither me nor a friend of mine who is an IT/Programer were able to reuse it. As the message was given that that session id is no longer active. As well he tried it while i was logged in to test your second claim. Again the message was given that the ID is currently in use and that he DOES NOT have the rights to use it, yet alone log in while i play. Only thing you prove in your OP is that you happily give out your account info despite it being a bad idea. If you have taken the time to set up you PC security, and SE account security, if anyone who is not on your PC tries to log in... your account should get locked until you unlock it.
-
10-12-2013, 12:20 AMKisaiTenshiSee that's what happened when I originally tried and the basis for my earlier comment about it not working. I even recorded video of it and was like "the f...."Quote:
Originally Posted by Twiddle
This begs the question... Is it against the ToS to multiclient/multibox from the same account. -
10-12-2013, 12:26 AMSusanohIf the authenticator was a strong measure of security, it would aid in preventing both. People would expect SE to fix this issue because they expect their security measures to be kept up to par. If you can fault the user for accidentally getting a virus, then you can certainly fault SE for providing sloppy security options, considering they should have people who are hired to know what they are doing.Quote:
Originally Posted by Bufkus
-
10-12-2013, 12:31 AMBufkusDoesn't matter, because you're not going to be compromised unless you were already compromised.Quote:
Originally Posted by NeruMew
And my point is that it doesn't matter.Quote:
The point that he is trying to get across is that the Session ID's don't expire, and can be reused indefinitely. A simple "fix" would be to expire the Session ID's upon logout/dc.
Is this some kind of joke?Quote:
If the authenticator was a strong measure of security, it would aid in preventing both. People would expect SE to fix this issue because they expect their security measures to be kept up to par. If you can fault the user for accidentally getting a virus, then you can certainly fault SE for providing sloppy security options, considering they should have people who are hired to know what they are doing.
-
10-12-2013, 12:35 AMSusanohI'm not quite sure why you find the thought of SE providing tight security options on their end to be a joke, but no, it is not.Quote:
Originally Posted by Bufkus
-
10-12-2013, 12:46 AMNeruMew
Ok I want to make a pause here, we are all speculating ourselves since we can't really prove what is happening, some say this is possible to re-use some others say it's not. Other people are bringing up to light the issue about logging in multilpe times on the same account, which is another matter of great importance.
And for those who say, if you got infected it's your fault, please if you're not going to add anything productive just stand back and keep it to yourself, a lot of people don't know how to protect themselves or what security preventive measures to adopt, and on top of that, you are always vulnerable, it's just that by keeping some basic measures you can reduce the risk chances a lot. Anyway, please if you do know so much, enlighthen the others with your knowledge.
And again, it doesn't matter if the user got infected by their own doing, it still doesn't justify SE not doing what they can to prevent and help all these situations. After all it's their service and their business, if they don't help taking care of their customers, there wouldn't be much of a service anymore. SE should implement every reasonable security measure they can in order to make this a more secure enviroment. -
10-12-2013, 12:54 AMDaragustI'd rather see them invalidate the Session ID after a successful logout. They would burn through more sessions but since IPs can be spoofed and the hack would be originating from the machine where the virus is, thus the IP can be logged, it would be a more secure option.Quote:
Originally Posted by Issac