Results -9 to 0 of 132

Threaded View

  1. 10-08-2013 07:16 AM #11
    Silverwalk
    Player
    Silverwalk's Avatar
    Join Date
    Jun 2011
    Posts
    111
    Character
    Silver Darkmoon
    World
    Balmung
    Main Class
    Gladiator Lv 50
    Quote Originally Posted by Ladon View Post
    Because session IDs are 32 hex digit GUIDs with 2^128 possible combinations. Good luck finding an active one especially since the server isn't going to let you check them at any kind of reasonable rate.
    It's highly likely it only uses a subset of all possible combinations, it may be a hash function instead of a truly random number.

    In which case by looking at valid session ID's and trying around those numbers it makes it much more likely to find a "hit".

    Also consider that there may be no maximum attempts like a password system, allowing a hacker to try hundreds of possible session ID's a second.

    This is much like finding a wireless encryption key.

    Why did they remove the IP lock used in version 1.0? Any time your ip changed you had to change your password to unlock your account.
    (4)
    Last edited by Silverwalk; 10-08-2013 at 11:38 PM.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »