Author

Topic: Session key: can it be abused? (Read 229 times)

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
September 19, 2019, 03:01:16 PM
#5
You should keep it secret.
Thanks, that's what I thought. I just found out I've been sharing LoyceBot's session keys since April.

I disabled this scraper, then logged out and logged in again. I think I'm good now.



I'll lock this thread soon.
legendary
Activity: 3318
Merit: 2008
First Exclusion Ever
September 19, 2019, 02:48:45 PM
#4
Hmm, I also got that same exact error at least half a dozen times today trying to edit some of my messages or to quote someone. I recall this being the first time i encounter "Session verification failed". I can also see it being reported multiple times over the years.

Should i be concerned about it and is there anything i can do?

This is a normal event if you leave a tab open for a long time. No action is needed, just reload the page (from a direct link not a refresh).
legendary
Activity: 2212
Merit: 2061
Join the world-leading crypto sportsbook NOW!
September 19, 2019, 02:40:23 PM
#3
Hmm, I also got that same exact error at least half a dozen times today trying to edit some of my messages or to quote someone. I recall this being the first time i encounter "Session verification failed". I can also see it being reported multiple times over the years.

Should i be concerned about it and is there anything i can do?
administrator
Activity: 5222
Merit: 13032
September 19, 2019, 02:29:45 PM
#2
If someone has your session key, they can try CSRF attacks against you until the key expires. You should keep it secret.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
September 19, 2019, 02:24:25 PM
#1
If someone gets access to someone else's session key (on Bitcointalk SMF), can that be abused? I've tried to do something with it in a private window, but get this:
Quote
Session verification failed. Please try logging out and back in again, and then try again.
Is this enough to assume there's no risk in leaking a session key, or did I overlook something?
Jump to: