Web services security timeout improved
Posted: Thu Jun 18, 2015 5:25 pm
As many of you have found, if you leave the cards, auctions or shop pages open a long time without interacting with them (About 30 minutes) when you try to use something on the page it won't work.
This is due to a security system on the pages which creates a token and stores it in your browser only for 30 minutes. This token is issued so that the webserver can be assured that you (the human) are actually using the page and that you're not being forced to make purchases or redeem cards by a malicious website.
Essentially it protects against what is known as a CSRF attack - Cross Site Request Forgery. The attack is performed by having some javascript on a webpage which points to for example our shop and automates a purchase so when you view the page it automatically buys something on your account using your rennies without your consent.
So as I say this security issue hasn't affected us because I added session tokens more than a year ago but the 30 minute timeout is too short and I've now increased this to 8 hours. This should be more than enough time for even our hardcore players and it still blocks all CSRF attacks as the tokens are still only useful for the windows they are created within and forged requests will still be refused due to the lack of a valid token.
I know this is all very technical but I thought some of you may find it interesting how much goes into our online web apps. Some of the security we have is incredibly advanced for a game server especially a Minecraft one and I'm proud to say that.
This is due to a security system on the pages which creates a token and stores it in your browser only for 30 minutes. This token is issued so that the webserver can be assured that you (the human) are actually using the page and that you're not being forced to make purchases or redeem cards by a malicious website.
Essentially it protects against what is known as a CSRF attack - Cross Site Request Forgery. The attack is performed by having some javascript on a webpage which points to for example our shop and automates a purchase so when you view the page it automatically buys something on your account using your rennies without your consent.
So as I say this security issue hasn't affected us because I added session tokens more than a year ago but the 30 minute timeout is too short and I've now increased this to 8 hours. This should be more than enough time for even our hardcore players and it still blocks all CSRF attacks as the tokens are still only useful for the windows they are created within and forged requests will still be refused due to the lack of a valid token.
I know this is all very technical but I thought some of you may find it interesting how much goes into our online web apps. Some of the security we have is incredibly advanced for a game server especially a Minecraft one and I'm proud to say that.