Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Waraji]

The point that he is trying to get across is that the Session ID's don't expire, and can be reused indefinitely. A simple "fix" would be to expire the Session ID's upon logout/dc.

[NeruMew]

Why do you expect SE to fix something that would be purely your fault? (i.e. if you have a virus on your system)

The authenticator prevents hacking that isn't your fault (hackers getting your passwords from website databases for instance).

To improve the quality of service and security of their systems? Gee Idk... Why would we ever want to move forward and become better? OH MY!

Because it's ridiculous that old sessions don't expire, not in any decent amount of time (and it should be upon disconnection).

[KisaiTenshi]

It does work. Had to do this to bypass the launcher on Linux awhile back, before I could get Wine to open the actual launcher. Opened up the game on windows and got the SID. Then passed it to the linux machine and logged in just fine.

I wanted to call BS on this, but seems relaunching immediately let's this work. So to extend this theory, I launched it with a new session ID from the launcher and then launched the old session id at the same time... Error 3102 if I try to select the character that is logged in. However it lets me login to any other character.

Welp, guess we just figured out how the spammers are able to assault the servers so quickly. Maybe SE can leverage that fact and add "expire all sessions on logout"

[Twiddle]

Hey OP guess what.... tried to duplicate your test, it don't work. The session ID expires as soon as i logged out. Neither me nor a friend of mine who is an IT/Programer were able to reuse it. As the message was given that that session id is no longer active. As well he tried it while i was logged in to test your second claim. Again the message was given that the ID is currently in use and that he DOES NOT have the rights to use it, yet alone log in while i play. Only thing you prove in your OP is that you happily give out your account info despite it being a bad idea. If you have taken the time to set up you PC security, and SE account security, if anyone who is not on your PC tries to log in... your account should get locked until you unlock it.

[KisaiTenshi]

Hey OP guess what.... tried to duplicate your test, it don't work. The session ID expires as soon as i logged out. Neither me nor a friend of mine who is an IT/Programer were able to reuse it. As the message was given that that session id is no longer active.

See that's what happened when I originally tried and the basis for my earlier comment about it not working. I even recorded video of it and was like "the f...."

This begs the question... Is it against the ToS to multiclient/multibox from the same account.

[Susanoh]

Why do you expect SE to fix something that would be purely your fault? (i.e. if you have a virus on your system)

The authenticator prevents hacking that isn't your fault (hackers getting your passwords from website databases for instance).

If the authenticator was a strong measure of security, it would aid in preventing both. People would expect SE to fix this issue because they expect their security measures to be kept up to par. If you can fault the user for accidentally getting a virus, then you can certainly fault SE for providing sloppy security options, considering they should have people who are hired to know what they are doing.

[Bufkus]

To improve the quality of service and security of their systems? Gee Idk... Why would we ever want to move forward and become better? OH MY!

Because it's ridiculous that old sessions don't expire, not in any decent amount of time (and it should be upon disconnection).

Doesn't matter, because you're not going to be compromised unless you were already compromised.

The point that he is trying to get across is that the Session ID's don't expire, and can be reused indefinitely. A simple "fix" would be to expire the Session ID's upon logout/dc.

And my point is that it doesn't matter.

If the authenticator was a strong measure of security, it would aid in preventing both. People would expect SE to fix this issue because they expect their security measures to be kept up to par. If you can fault the user for accidentally getting a virus, then you can certainly fault SE for providing sloppy security options, considering they should have people who are hired to know what they are doing.

Is this some kind of joke?

[Susanoh]

Is this some kind of joke?

I'm not quite sure why you find the thought of SE providing tight security options on their end to be a joke, but no, it is not.

[NeruMew]

Ok I want to make a pause here, we are all speculating ourselves since we can't really prove what is happening, some say this is possible to re-use some others say it's not. Other people are bringing up to light the issue about logging in multilpe times on the same account, which is another matter of great importance.

And for those who say, if you got infected it's your fault, please if you're not going to add anything productive just stand back and keep it to yourself, a lot of people don't know how to protect themselves or what security preventive measures to adopt, and on top of that, you are always vulnerable, it's just that by keeping some basic measures you can reduce the risk chances a lot. Anyway, please if you do know so much, enlighthen the others with your knowledge.

And again, it doesn't matter if the user got infected by their own doing, it still doesn't justify SE not doing what they can to prevent and help all these situations. After all it's their service and their business, if they don't help taking care of their customers, there wouldn't be much of a service anymore. SE should implement every reasonable security measure they can in order to make this a more secure enviroment.

[Daragust]

Yep, this is dead on and by far the easiest. Make the SID valid only for the IP it was granted to. Anything else is just plain retarded. Encrypt it as well for good measure.

Basic security 101. ><

I'd rather see them invalidate the Session ID after a successful logout. They would burn through more sessions but since IPs can be spoofed and the hack would be originating from the machine where the virus is, thus the IP can be logged, it would be a more secure option.