Do not share POESESSID values with other people

"

Glowy wrote:

I'm seeing a lot of hating on GGG in this thread because of players who think PoB should be an official thing in the game. Stop it.

Absolute shit take on GGG outsourcing QoL leading to out of control situations if you ask me. Take your pick of pre-PoE trade site, TFT, PoB, the Wiki, Craft of Exile, trade overlays, Filters before they had to pay Neversink and more.

I mean c'mon man.

"

Fruz wrote:

"

nl_atole wrote:

If we shared this in the past is there something we can do to protect our account?

Right, if this is such a potential security breach, shouldnt there be a way to either re-generate it, or block the accesses it gives ?

logout of you account should invalidate existing PoESessID.

"

DarthSki44 wrote:

If something bad were to happen a large scale, it would be very interesting to see what GGG would do. PoB is used by an absurd about of players... a mass ban event would be financial suicide if you ask me.

Yeah, it would be interesting to see.

I think those over there developing PoB should have perhaps done this in the more sensible way and used OAuth from the offset. Though, tbh, tools like these would inevitably be developed, and use of unsecure authorisation should have been an absolute don't do it, we'll provide a secure way from the very first time it was used (procurement, many years back?), avoiding this situation.

"

Mxeon wrote:

"

Fruz wrote:

Right, if this is such a potential security breach, shouldnt there be a way to either re-generate it, or block the accesses it gives ?

Not sure how GGG handles it, but I'd imagine logging out and logging back in would be enough to generate a new sessionid. It also probably also renews when the website forces a relogin from time to time.

"

p0miki wrote:

"

Fruz wrote:

"

nl_atole wrote:

If we shared this in the past is there something we can do to protect our account?

Right, if this is such a potential security breach, shouldnt there be a way to either re-generate it, or block the accesses it gives ?

logout of you account should invalidate existing PoESessID.

Thank you !

Not that I have personally used this id (could have once many years ago with acquisition, not sure), but this seems like a useful information ... that GGG should probably share in this anouncement.

While the warning is undoubtedly important, it should be noted that Path of Building is open source and people can check themselves whether it has nefarious code.

SPAWN OF POESESSID is my new band name. You can't have it. It's tech death at its finest.

"

Glowy wrote:

"

bigtoaster64 wrote:

"

Cyndershade wrote:

Three cheers for fearmongering to stop people from trusting path of building.

Im curious, in which case PoB does require a session ID to do something? As far as I know, it only retrieve account infos that are public, nothing private (which wouldn't make sense for what PoB is). And I don't see any case where it would require a private access to an account.

If your account is private, such as mine, and you want to load a character up on PoB, you would need to enter your POESESSID in order to give the program access to view your account.

PoB added feature to search for items on trade that May improve your build. Since trade site required to be logged in it need session id.

"

vonMoselberg wrote:

GGG its time for 2FA !!!

THIS !!

Is TFT bulk selling tool and neversink ok ?

I know they use safe authentication via steam...

Do the apps request specific POESESSID request?

I'm wondering. Maybe it's time to implement what other programs give to make it in the game?