Security Tokens/Authenticators are useless; SE needs to fix this immediately.

[Claire_Farron]

In this thread people who can't potato.

[Jess72]

What I don't understand is this part..

I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world. I did not provide an account name, password, or one time password.

How exactly did his friend log into the account without account name and password?

[Ticktick]

What I don't understand is this part..

I was able to give only an old, supposed to be expired, session ID to a friend and they were able to log into my account and characters from an entirely different location in the world. I did not provide an account name, password, or one time password.

How exactly did his friend log into the account without account name and password?

the session id is tied to the account, so if you have the session ID, it thinks you're the other person.

[Cienna]

What I don't understand is this part..

How exactly did his friend log into the account without account name & password?

Using the session ID & the command line, you login without the launcher, thus no password, account name or token needed- just the session ID.
http://forum.square-enix.com/ffxiv/t...=1#post1390622

That is where the session ID comes into play. The launcher invokes the game client by executing ffxiv.exe with extra command line parameters. It appends DEV.TestSID=xxxx, where xxx is the session ID, to the launch command. Here is the issue with that. That session ID is now plainly visible with any basic process inspector such as Microsoft's Process Explorer. This means it is incredibly easy for any virus that is on the computer to obtain the information. This also means it is possible to bypass the launcher to load the game client by just repeating the same command at the command line.

[Soukyuu]

An interesting thing I noticed since the latest patch is that now I am getting a 90k error followed by "authentification failed" one, forcing me to close the client. I seem to not be the only one, see discussion thread here.

The reason why I'm posting here is, does anyone think they might have implemented a session ID timeout but it's not working as intended? The timespan between those kicks seems to be around 4 hours for me. Maybe the session expires despite having a valid connection?

[illriginalized]

SE you need to fix this. This is a freaking security hole.

[Devourn]

Yeah, good luck with getting an official support response. All I ever see are Forum Moderators apologizing for their ineptitude.

[Valkyrie_Lenneth]

Yeah, good luck with getting an official support response. All I ever see are Forum Moderators apologizing for their ineptitude.

This is 8 years old.

[Hiragawa]

Yeah, good luck with getting an official support response. All I ever see are Forum Moderators apologizing for their ineptitude.

Oh... oh that brings me great amusement when bumping a thread from 2013. Thanks for the chuckle.