I have a third party service that can create accounts and perform game operations.
After user logs in, it returns a session ticket the user.
Now I just noticed the SDK function to validate the ticket only requires the ticket token and not the user owner of the ticket - this generated me a question of what impedes one user using the ticket token of another user to perform calls ?
Is there a way to validate that the ticket is owned by a given user ?
Thanks !
It is quite common to use tokens as credentials for user requests, the purpose is to not have to verify the user's information every time, so as long as you have sessionticket, you can make API requests. To prevent one user using the ticket token of another user to perform calls, you can use API AuthenticateSessionTicket to verify the session ticket before performing the calls. The most important thing is that you should avoid players getting other people's session tickets.
Hi Gosen, thanks for your reply.
I am using AuthenticateSessionTicket atm, I believe you might have gotten a bit confused there because it does not verify im the owner of a given ticket, I can authenticate both mine and other players ticket using this endpoint as there's no parameters or information about the issuer of the ticket.
Usually auth methods like JWT includes the issues in the ticket so we can make sure another user cannot use your ticket to perform actions in your behalf. Of course we can have measures to avoid one user grabbing the ticket of another user, but just knowing that one user can grab other user token and send requests in behalf of that other user scares me.
What prevents my user, using my user ticket, sending requests that modifies your user ? Im a bit confused as this seems a huge security breach.
>> I can authenticate both mine and other players ticket using this endpoint as there's no parameters or information about the issuer of the ticket.
Since AuthenticateSessionTicket will return user information, you can use CloudScript or Azure Function to implement a function that requires the client to provide the necessary information to verify if this is the owner of the ticket, such as username, email address.
>> Usually auth methods like JWT includes the issues in the ticket so we can make sure another user cannot use your ticket to perform actions in your behalf. Of course we can have measures to avoid one user grabbing the ticket of another user, but just knowing that one user can grab other user token and send requests in behalf of that other user scares me.
I don't quite understand what you mean "issues", and how can the server know you are the owner just from the JWT token? As JWT's documentation mentions, "Since tokens are credentials, great care must be taken to prevent security issues." It also doesn't seem to prevent such issues. If it needs to pass additional information for validation, this seems to be similar to the method I mentioned above.
2 People are following this question.
