Quote Originally Posted by Pronsolo View Post
I really dont think this has anything to do with SE in most cases.......
Reason why I'm asking to provide those informations in the 2nd post of the thread so devs can further investigate.
All these related posts mentions their account got hacked but there isn't much information to go by to figure out which sites to avoid or what to expect from these hackers.

For the most part if there was a simple IP check, I don't see this issue happening as often as I'm seeing recently on this forums. I do understand some have Dynamic IP and their IP changes frequently so there needs to be some extra security there, which can be the Security Token. I remember the IP check being there before, dunno what happened there.

However, from reading threads on this forums, right now you can bypass that passign some simple session_id information which doesn't expire...

If it was me, I would rewrite the code so that when a Security Token is used, it passes through the initial login THEN record the current IP address and if any one tries to login from outside the IP using sesssion_id it shoudl flag. Security Token is unique code that is updated every time it's used so unless the hacker is quick enoug hand is doing the man-in-the-middle hack at that exact timing, this should make it much much harder to break. Using the security token will update the IP every time so it won't affect the players with Dynamic IP or playing from different locations from time to time.