Date & Time: Everyday, Anytime
Frequency: 100% Reproducible
Steps:
1. Open the launcher
2. Check the "remember me" box
3. Provide your username
4. Provide your password
5. Provide your OTP
6. Launch the game
7. Close the game
8. Re-open the launcher
What happens:
Only the account name is remembered.
Expected behaviour:
The session remains valid and i remain logged in.
Impact:
I am genuinely considering removing the OTP from my account and reducing its overall security because its tedious to constantly re-enter this credential due to the lack of a functional method to save a session.
Suggested Solution:
If the current button is "working as intended" add another button that explicitly saves the token for the session and put w/e warnings on it you want, then implement logic to regenerate it each login and expire it after a sane period of non-use (48h is a "low" starting point) to mitigate any "percieved threat" of local attackers stealing said token.
Because lets be real, if an untrustworthy party compromises your machine to the extent that they can retrieve arbitrary files is this actually something you should be worried about??
Alternatively, dont kill the game launcher when the game starts, let it persist in the background and let the user close it when they're done!!!
Continue reading...
Frequency: 100% Reproducible
Steps:
1. Open the launcher
2. Check the "remember me" box
3. Provide your username
4. Provide your password
5. Provide your OTP
6. Launch the game
7. Close the game
8. Re-open the launcher
What happens:
Only the account name is remembered.
Expected behaviour:
The session remains valid and i remain logged in.
Impact:
I am genuinely considering removing the OTP from my account and reducing its overall security because its tedious to constantly re-enter this credential due to the lack of a functional method to save a session.
Suggested Solution:
If the current button is "working as intended" add another button that explicitly saves the token for the session and put w/e warnings on it you want, then implement logic to regenerate it each login and expire it after a sane period of non-use (48h is a "low" starting point) to mitigate any "percieved threat" of local attackers stealing said token.
Because lets be real, if an untrustworthy party compromises your machine to the extent that they can retrieve arbitrary files is this actually something you should be worried about??
Alternatively, dont kill the game launcher when the game starts, let it persist in the background and let the user close it when they're done!!!
Continue reading...