Jump to content

  • Curse Sites
Become a Premium Member! Help
Latest News Article

Suggestion to fix the session stealing problem

session stealing authentication

  • Please log in to reply
8 replies to this topic

#1

sebnie
    sebnie

    Out of the Water

  • Members
  • 9 posts

Posted 02 May 2012 - 09:36 AM

I have a idea on how the "session hijack" or "session stealing" can be fixed.

Currently, the server sends a random number.
Client sends:
ht tp://session.minecraft.net/game/joinserver.jsp?user=<username>&sessionId=<session id>&serverId=<rand>

Server checks with:
ht tp://session.minecraft.net/game/checkserver.jsp?user=<username>&serverId=<rand>

-----

Do this instead:
Server sends *nothing*
Client sends:
ht tp://session.minecraft.net/game/joinserver.jsp?user=<username>&sessionId=<session id>&serverId=<Server-IP>
<Server-IP> is saved in the profile of <username> in minecraft.net authentication server.
<Server-IP> is the *RESOLVED* IP of the server the client is going to connect to.

Server checks with:
ht tp://session.minecraft.net/game/checkserver.jsp?user=<username>

The IP of the actual request to [ ht tp://session.minecraft.net/game/checkserver.jsp?user=<username> ] (this will be the IP of the server) must be active on <username> at minecraft.net for it to YES the authentication.

Register or log in to remove.

#2

Metholus
    Metholus

    Diamond Miner

  • Members
  • 829 posts
  • Location: Tellus

Posted 02 May 2012 - 09:58 AM

View Postsebnie, on 02 May 2012 - 09:36 AM, said:

I have a idea on how the "session hijack" or "session stealing" can be fixed.

Currently, the server sends a random number.
Client sends:
ht tp://session.minecraft.net/game/joinserver.jsp?user=<username>&sessionId=<session id>&serverId=<rand>

Server checks with:
ht tp://session.minecraft.net/game/checkserver.jsp?user=<username>&serverId=<rand>

-----

Do this instead:
Server sends *nothing*
Client sends:
ht tp://session.minecraft.net/game/joinserver.jsp?user=<username>&sessionId=<session id>&serverId=<Server-IP>
<Server-IP> is saved in the profile of <username> in minecraft.net authentication server.
<Server-IP> is the *RESOLVED* IP of the server the client is going to connect to.

Server checks with:
ht tp://session.minecraft.net/game/checkserver.jsp?user=<username>

The IP of the actual request to [ ht tp://session.minecraft.net/game/checkserver.jsp?user=<username> ] (this will be the IP of the server) must be active on <username> at minecraft.net for it to YES the authentication.

And in comon english? This is allso a coding suggestion for the multiplayer.?

Whats the answer to this question?


#3

Redyoshi101
  • Location: Location: Location: Location: Location
  • Minecraft: Redyoshi510
  • Xbox:xodX

Posted 02 May 2012 - 02:34 PM

I don't understand most of it but I support anyways, sessions stealing sounds nasty.

#4

Death_marine
    Death_marine

    The Meaning of Life, the Universe, and Everything...

  • Curse Premium
  • Curse Premium
  • 42 posts

Posted 03 May 2012 - 03:09 AM

View Postsebnie, on 02 May 2012 - 09:36 AM, said:

I have a idea on how the "session hijack" or "session stealing" can be fixed.

Currently, the server sends a random number.
Client sends:
ht tp://session.minecraft.net/game/joinserver.jsp?user=<username>&sessionId=<session id>&serverId=<rand>

Server checks with:
ht tp://session.minecraft.net/game/checkserver.jsp?user=<username>&serverId=<rand>

-----

Do this instead:
Server sends *nothing*
Client sends:
ht tp://session.minecraft.net/game/joinserver.jsp?user=<username>&sessionId=<session id>&serverId=<Server-IP>
<Server-IP> is saved in the profile of <username> in minecraft.net authentication server.
<Server-IP> is the *RESOLVED* IP of the server the client is going to connect to.

Server checks with:
ht tp://session.minecraft.net/game/checkserver.jsp?user=<username>

The IP of the actual request to [ ht tp://session.minecraft.net/game/checkserver.jsp?user=<username> ] (this will be the IP of the server) must be active on <username> at minecraft.net for it to YES the authentication.
Already built a bukkit plugin to combat this issue:
http://dev.bukkit.or...-mods/opverify/
This Guy Doesn't Give A @#$%! About Likes!
Bukkit Plugins on Github

#5

arriej
    arriej

    Zombie Killer

  • Members
  • 156 posts
  • Location: The moon
  • Minecraft: arriej
  • Xbox:arriej

Posted 23 May 2012 - 06:04 PM

View PostRedyoshi101, on 02 May 2012 - 02:34 PM, said:

I don't understand most of it but I support anyways, sessions stealing sounds nasty.

Here more info about the session stealing ;)

http://blockmadness....ession-stealer/
Did I help you out on the forums don't forget to click the: Posted Image

#6

bulletshredder_

Posted 15 July 2012 - 08:37 AM

Where do u type that in, i cannot join any servers, it says that but it says its a internal client error

#7

monkeyxmerkz

Posted 15 July 2012 - 09:46 AM

All of my servers have 1 person in them (which i think is wrong) then i join and get the error. can anyone help?

#8

Rarity
    Rarity

    Gold Miner

  • Members
  • 420 posts
  • Location: Finland
  • Minecraft: xSoulStealerx

Posted 15 July 2012 - 10:33 AM

View Postmonkeyxmerkz, on 15 July 2012 - 09:46 AM, said:

All of my servers have 1 person in them (which i think is wrong) then i join and get the error. can anyone help?

Minecraft auth servers are down, because they are fixing this very issue. http://www.mojang.co...have-a-problem/

#9

Drift_91
    Drift_91

    Tree Puncher

  • Members
  • 24 posts
  • Location: Ontario, Canada
  • Minecraft: Drift_91

Posted 22 July 2012 - 04:43 PM

View Postsebnie, on 02 May 2012 - 09:36 AM, said:

Do this instead:
Server sends *nothing*
Client sends:
ht tp://session.minecraft.net/game/joinserver.jsp?user=<username>&sessionId=<session id>&serverId=<Server-IP>
<Server-IP> is saved in the profile of <username> in minecraft.net authentication server.
<Server-IP> is the *RESOLVED* IP of the server the client is going to connect to.

Server checks with:
ht tp://session.minecraft.net/game/checkserver.jsp?user=<username>

The IP of the actual request to [ ht tp://session.minecraft.net/game/checkserver.jsp?user=<username> ] (this will be the IP of the server) must be active on <username> at minecraft.net for it to YES the authentication.
I was going to suggest a different way of doing it. But I figured before I made a post that I'd search for any already existing threads. I'm glad I did because your method is far better than what I came up with. From what I understand, the session ID is never sent to the server, correct?

Basically what I came up with was that the client sends the session ID to the auth server and gets a one-time use key to send to the server.


View PostDeath_marine, on 03 May 2012 - 03:09 AM, said:

Already built a bukkit plugin to combat this issue:
http://dev.bukkit.or...-mods/opverify/
This has absolutely nothing to do stopping session stealing from what I understand from the bukkitdev page. It just stops people from being OPed before they join the server for the first time. Rather useless IMO. You'd be far better off using vAuth to authenticate all the staff/OPs and then use a plugin that stops people from using "/op" in-game so that you can only OP people from the console. Unfortunately, only Mojang has the ability to stop session stealing. As far as I know, it can't be done by a plugin, asside from authenticating people server-side with xAuth or vAuth. However this requires the player to register on your server and use a second password every time they connect to your server.


View PostRarity, on 15 July 2012 - 10:33 AM, said:

Minecraft auth servers are down, because they are fixing this very issue. http://www.mojang.co...have-a-problem/
They were actually fixing a completely different problem that was far worse than session stealing. People were able to log into ANY migrated account without having to enter a password or steal a session ID. Here's a detailed Reddit post on the issue: http://www.reddit.co...er_hackers_can/

------

I'm going to make a Twitter account JUST to tweet this to Jeb. I suggest everyone else do the same to make sure this gets noticed. It's a really simple fix and I'm supprised no one else has brought it to Mojang's attention yet. Session stealing just keeps getting worse and worse. Now it's even built into the increasingly popular Nodus client.

Someone can have a super secure password for their Minecraft account and still get hacked. All they have to do is see a server posted on the forums and think "Hey, this server sounds cool. I'm going to join it!" And when they try to connect to it it says it's full and disconnects them. Then the server owner uses their session ID to log into popular servers like c.nerd.nu and grief all over the place.

Drift_91 - Head Admin/Plugin Manager on UltaCraft

Posted Image