Bug #320: Session IDs aren't checked - implement EnforceSessions
| ID | #320 |
|---|---|
| Submitter | Cirras |
| Product | EOSERV |
| Severity | Feature Request |
| Status | OPEN, CONFIRMED |
| Submitted | 5th Feb 2015 |
| Updated | 6th Feb 2015 |
9 years, 47 weeks ago
When a client requests an account creation, EOSERV is simply returning the "ACCOUNT_CONTINUE" const instead of randomly generating a session ID for validation. [ACCOUNT_CONTINUE = 1000]
This allows PACKET_REQUEST/The Account_Request function to be bypassed entirely, because PACKET_CREATE/The Account_Create function doesn't currently *care* what the session ID is.
Comments
9 years, 47 weeks ago
This is part of a lack of session ID checking all over EOSERV. There's nothing so important about Account_Request that it needs to be done, and session IDs aren't necessary to enforce the ordering. The only reason to implement it is to match the strictness of the official EO protocol.
I'm gonna hijack this bug for checking session IDs in general.
Updated Title to Session IDs aren't checked - implement EnforceSessions
Updated Status to CONFIRMED
9 years, 47 weeks ago
Not a bug as there's no observable effect or problem caused by it.
Updated Severity to REQUEST
9 years, 47 weeks ago
I think what Cirras is trying to achieve should be done with a timer to log the request start time and setting the actual create to now > (start + 120). Enforcing such a timer would prevent account create spam and bypassing the proper sequence. If you attempt this fix make sure start != 0 within the creqate handler.
Add Comment
Please don't post unless you have something relevant to the bug to say.
Do not comment to say "thanks" or "fix this please".
Please log in to add comments. EOSERV Bug Tracker > Bug #320: Session IDs aren't checked - implement EnforceSessions