RuneScape Forum Archive | Security check for forums

Jun

2006

Dilbert2001

Posts: 30,168 Sapphire Posts by user Forum Profile RuneMetrics Profile

333333333 said :
I never log out of the forums! Being inactive for like 1 hour will auto log you out!

Yes, and it is actually much easier to just close the windows tab.

28-Aug-2020 16:48:30

Jan

2016

Hmm

Posts: 13,000 Opal Posts by user Forum Profile RuneMetrics Profile

NexOrigin said :
Megycal said :
why have added security to log out ?? It doesn't make sense. It doesn't make sense if you're the one attempting to log out your account, but, it makes a bit more sense if someone is attempting to log out other users from the website.

So it doesn't make any sense, because the only person ever trying to log out of my account is me. Everyone else is trying to log into it. If someone else is trying to log out of it, I've screwed up well before them trying to be nice by logging me out for me.

28-Aug-2020 18:14:49

NexOrigin

Posts: 2,592 Adamant Posts by user Forum Profile RuneMetrics Profile

Hmm said :
NexOrigin said :
Megycal said :
why have added security to log out ?? It doesn't make sense. It doesn't make sense if you're the one attempting to log out your account, but, it makes a bit more sense if someone is attempting to log out other users from the website.

So it doesn't make any sense, because the only person ever trying to log out of my account is me. Everyone else is trying to log into it. If someone else is trying to log out of it, I've screwed up well before them trying to be nice by logging me out for me. Theoretically, the only person that SHOULD be trying to log out of your account is you.

However, if someone were actively trying to hijack your account, they might also be trying to log your account out of the website too... to keep you from changing your password. Of course, in order to target a logout, they would theoretically need your website session ID.

Of course, someone could just be firing logout packets with random session ID's at the server... and adding a CAPTCHA to the website logout would help deter that. I'm better than you, but that doesn't mean you're not great!

28-Aug-2020 18:50:57

Jan

2016

Hmm

Posts: 13,000 Opal Posts by user Forum Profile RuneMetrics Profile

From the session ID I just extracted from myself, it's 150 characters of at least 30 unique characters. They expire after a certain amount of time, lets say 1000 years. That's 3.699884850351269729247007824517e+221 session ID combinations, and if all 3 billion devices running Java at once sent a request every 5 seconds, which would be a rate of 18921600000000000 requests a year, if we arbitrarily decide that they'll continue to continue this attack of 3 billion unique computers until the earth is consumed by the sun, which is estimated ro about 5 billion years, we get 94608000000000000000000000, and if compare all 3 billion Java devices operating for the next 5 billion years to hack your one RuneScape account by its session ID, they'll have missed out 3.9107526322840243206145440391055e+195 possibilites of the entire address range, even given that ID is swapping every 1000 years. They'd have a 0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002% of logging you off once even if the session ID literally never expired by the time the earth is consumed.

Or another way of putting it, is that it's never gonna happen and so a ridiculous thing to worry about.

28-Aug-2020 19:51:30

NexOrigin

Posts: 2,592 Adamant Posts by user Forum Profile RuneMetrics Profile

The session ID is in the URL, and it's only like 10 characters.

It's the c=########## portion of the URL.

I have no idea what the session ID you're extracting is.

And I'm not talking about using the session ID to hijack an account, I'm talking about it being used to log an account out of the website (for whatever reason). I don't know if it's possible, but it's certainly something to consider.

Obviously the CAPTCHA being applied to log out is some sort of a security measure, whether it be intentional, or just a side affect of other security measures that have been put in place. I'm better than you, but that doesn't mean you're not great!

28-Aug-2020 20:02:06

Jan

2016

Hmm

Posts: 13,000 Opal Posts by user Forum Profile RuneMetrics Profile

The C= is not the session ID.

The session ID you can view by going into your cookies and looking for the cookie called session.

It's called session because it's the session ID.

When the session ID is in the url, it is prefixed with s=

where the s stands for session.

There is nothign that distinguishes using a session ID to "hack" an account or log it out. If you can correctly guess session ID's, you ARE logged into the account, it is the token that authentication exists on.

28-Aug-2020 20:04:17

NexOrigin

Posts: 2,592 Adamant Posts by user Forum Profile RuneMetrics Profile

I'm sure there are multiple "session IDs" being used, in addition to the one in the URL.

If you change or remove the one in the URL, you'll immediately be logged out of the forums.

Regardless, my point is still the same:
NexOrigin said :
Obviously the CAPTCHA being applied to log out is some sort of a security measure, whether it be intentional, or just a side affect of other security measures that have been put in place. I'm better than you, but that doesn't mean you're not great!

28-Aug-2020 20:13:53

Jan

2016

Hmm

Posts: 13,000 Opal Posts by user Forum Profile RuneMetrics Profile

Yes, if you muck about with cookies in the browser, it's detected as suspicious and logs you out. However if you manage to by chance guess the session ID, you can use it to sign in with zero problem. You can actually prove this yourself by looking at how the authentication page works, it's not black magic. You will see s= in the redirect page, and you can straight up copy and paste the URL, send it to another computer, and log in with it elsewhere.

This is literally how the client manages to login to the website if you're already logged in in game. If you look at the address bar the client loads before it takes you to the message center or forums or news or whatever, you'll see the s= value with all ~150 characters.

So ok, your point might be the same. It might be some vague security policy, but it's absolutely unrelated to the actual thing you're saying it's a security policy for, and there's no reason to believe Jagex are in need of a Captcha to protect people randomly guessing session IDs because there's no reason to believe Jagex have implemented them in any way that goes against industry standards, so the FUD is entirely unnecessary.

28-Aug-2020 20:25:30 - Last edited on 28-Aug-2020 20:35:29 by Hmm

NexOrigin

Posts: 2,592 Adamant Posts by user Forum Profile RuneMetrics Profile

Hmm said :
So ok, your point might be the same. It is the same. It's a security measure. Obviously there is a reason why Jagex would add additional security to logging out of the website.

Occam's Razor would conclude that it is being done to prevent people from fraudulently logging out accounts, by whatever means is being used.

Unless you think Jagex accidentally applied it to the logout page instead of the login page?

I'm better than you, but that doesn't mean you're not great!

28-Aug-2020 21:00:09

Aug

2013

Jeremy Cheng

Posts: 25,639 Sapphire Posts by user Forum Profile RuneMetrics Profile

Thank you jagex for replacing those hard to see reCAPTCHAs with far more easier hold down the mouse and drag the object onto another object puzzles. No failures on these new puzzles yet.

29-Aug-2020 03:51:20

Forums

Security check for forums