I have a third party service that can create accounts and perform game operations.
After user logs in, it returns a session ticket the user.
Now I just noticed the SDK function to validate the ticket only requires the ticket token and not the user owner of the ticket - this generated me a question of what impedes one user using the ticket token of another user to perform calls ?
Is there a way to validate that the ticket is owned by a given user ?
Thanks !