Game Sessions Not ExpiringFollow

Back in school, one of my teachers said that the safest computer would be one not connected to any network, locked in a vault, and under constant armed guard... even then he'd not guarantee it. Basically, if someone wants something badly enough, they will get it. However, expiring sessions or denying a session once its IP changes are very rudimentary elements of security. Neither is all that hard, and the latter should be an absolute no brainer. "What, the client suddenly shifted IP ranges from a NA address to one in China? Oh who cares." That's.... very bad. Hell Facebook won't let you do that, it will make you jump through hoops to login on a non-recognized device from another IP range, and it alerts the user that all this is happening. I'd hope that a service I am paying for would do at least that.

So this was the solution to the problem. It's a feature, not a bug!

It didn't. In the original post, the guy gave his session ID to another person on another ISP in another part of the country.



From the summary of the article you posted.

Hmm, I would assume would happen. I could try to login using my fiancee's account up here. I could get her to give it to me. I wasn't able to sort out how I'd copy my session ID (mainly because.... well I wanted to play last night XD), but this test could be quick...

If you have a token the test won't work, somehow using a one time token skips the IP check. You can get the session ID using Process Explorer, it's a free download from Sysinternals/Microsoft.

This is like someone taking your concert ticket out of the garbage and seeing the band play the next night, not only that but they tell everyone at the show that they're you...and they can do this indefinitely. The security guards don't even ask to see the ticket, they just get to walk in because they have one.

Now to you or me, unless our PC is compromised, it probably doesn't mean much...until (or unless) someone's figured out the algorithm used (unless it's random) to make the Session IDs. In which case they can generate a valid ID you were given, log into your PC, spam your contact list for gold sites, sell all your items and ship off all your gil...all without ever knowing your password, your account name, email, or having broken token auth.

Why this matters is because if your PC was otherwise compromised by a keylogger or somesuch your account should be safe because you have the One Time password--so external entities could have your password and do other nasty things, but not get into your account.

I'd hope SE would notice the same IP generating session IDs that don't actually work and lock out any computer spamming them after a few attempts. Won't help anyone with a legit session ID who gets hijacked, but would significantly hamper anyone trying to brute force it.

So is it time to panic yet, or stay calm?

Doesn't sound like it:

On the "it's a bug, not a feature" note, you don't have to log back in to the game if you get disconnected due to inactivity. It kicks you back to the character selection screen. The non-expiring session ID is probably what allows that.

This whole keeping the session active and working does save your spot in a party, dungeon or instance when you disconnect however. Still feel there should be a way to disable this upon a proper /shutdown for sleep or so.