Was chatting with ziggie and he sent me a link to a thread here. Neither he nor I noticed that the link contained the sess.id and key and stuff, so when I clicked it I naturally became ziggie. Well that's not the weird part, THIS is: When I found out I naturally logged out in a hurry and logged in as myself. And here's the weirdness: Then ZIGGIE became ME! I didn't send him any links, he just became me at his next refresh. I logged out once more and logged in using my alter ego, TrekkieGrrrl, and then... ziggie became TrekkieGrrrl. Now while nothing happened it could as well have been someone I didn't know - and trust - as much as ziggie, and then that other person COULD have downloaded all my stuff and/or used all my instore credits. And I wouldn't even KNOW! And had I complained I would most likely have been told that I must have used them myself, as the only person logged in as me was... me! Point is If I want to log in as someone I could send them a link so that they became me (I could even if I really wanted, create an account with that purpose...) And then when people log out and log in as themselves I would get access to their stores and downloads, even if the person involved didn't do anything wrong! This scares me, how about you?!

Whoa! That would be not so cool....that IS scary...

What is even scarier... is.... I became a GIRLIE... twice...! :(

Just be careful with those ID's and session info.

-J.

Wow! A new online game: musical identities! Exchange links in rotation, and even after you log out, your identity flows around the circle... last identity to find a person wins! :) Carolly

Hmm,

all I ever see is something like this:
http://www.renderosity.com/messages.ez?ForumID=(number#1)&Form.ShowMessage=(number#2)

I always thought that "number#1" identifies the forum and "number#2" the actual thread - does this mean that both are specific to my recent session?

If it is specific then is it static (e.g. linked to my account forever) or is it only linked for the running session (as long as I'm logged in)?

If you allow session cookies you may never see the Session ID or Session Key in the URL.

The forum ID and message number are not a problem.

Thanks. By the way, I just saw the session ID/Key right this moment... when I clicked the link from my eMail notification my browser opened this thread with the additional information, but whenever I click on anything else it vanishes. So I guess that it was added to the URL because the browser must first open the page before the server can access cookies, but the very next move will dispose of it - right? That was very good to learn, because otherwise I wouldn't have spend much attention to it when copy/pasting a link...

No and that was exactely how it happened. Ziggie was pasting a link that he sent to me. Sure you have to be carefull about the session ID's Jeff, but that requires that you notice them there in the first place! And that's why it imo is a tad dangerous. BECOURSE you can send someone a link and then take their identity without them EVER knowing it, if they do not notice that those numbers are there and/or know what they mean.

:humph!: I still think "Musical Identities" would be a great game. We all have distinctive typing styles (as well as identifying vocabulary)... which we'd try to mask to match the purported ID... so after the third or fourth switch, part of the fun will be identifying who we are really talking to. For example, hauksdottir tends to write in rambling sentences with dots in lieu of commas. She also has a sense of humor which is strained at best.

"Musical Identities" ???????????????/ Oh NOOOOOoooooooooo!!!!!!!!! Just when you thought it was "safe" to go back into the Forum. ;=]

Musical Identities SOUNDS like a good idea... BUT... be warned...! The Gender changes come as quite a shock...! One minute I was 'me' and the next I was ernyoka1... brrrrr... very scary...! ziggie

I'll bet it was completely painless and cost absolutely nothing, no? ;=]

Oh come on, ziggie.. admit that you enjoyed being ME! Who WOULDN'T enjoy being me? I'm charming, smart, good looking... Once I had a problem with vanity, but now I'm perfect. ;o)

I've had that happen a few times and even had the misfortune of posting links with that. Here's what I learned about it: 1. Rosity needs to address this. 2. If you first log on, or log on after deleting cookies, or log on with a new browser, you can have the sess ID key in the url. If you spot it, be sure to highlight behind the ID key for your cut and paste. 3. If you save a rosity link to your favorites (bookmark) be sure that you were not on a page with the sess id key displayed in the address like. 4. If you save a rosity link to your favorites that does not have the sess id key in it, be careful, and double check. When cutting and pasting, or going to that link, the sess id key sometimes appears (about 85% of the time). 5. If you did post a link with the key in it (and do double check EVERY link you post), then delete and go change your password. I had to delete a page with about 25 links to free stuff because one of them had my sess id key in it. It was up for several days before I saw it. Had to change the password. 6. Osity needs to address this. Hope that helps.

EricofSD, I am glad that someone else but me sees this as a real PROBLEM. Eventhough we can joke about it, it is actually a serious matter. NOTHING would have prevented ziggie from emptying my account and downloading all my purchases if he had wanted to do so. Of course I could have done the same, as I was originally HIM (talk about SCARY feelings :oP) but the point is that it CAN happen. And that you can become someone else without the other persone KNOWS IT!

Ernyoka, I think Ziggie ought to have felt positively giddy about being female, smart, and talented. However, the translocation to the other side of the planet may have disoriented him. That could be his only excuse for the lack of gratitude for the consciousness-raising elevation to womanhood. Even though I'll turn anything into a game if possible (I am a professional game developer, after all), this identity switch does have potential for real mischief. Cleaning out a store or account can be rectified, but damage to a reputation would take far longer to heal. Most of the forumites are folks I'd trust, but they are the regular posters. There is a tiny percentage of immature troublemakers though, who'd grin like Calvin and see how destructive they can be while disguised. If they picked on somone from Japan, say, the community might even lose a member if that person lost face and left. Identifying data needs to be better handled. Carolly

{Musical Identities SOUNDS like a good idea} Of course it's fun. Keep playing until you get a Merchant's account. Then, go to his or her home page and download all of their products. Or... change the mailing address to your own PO box and ask Renderosity to send you the next payment in cash. Don't forget to change the e-mail address in case they send you a confirmation e-mail. Or, if you don't get a merchant account: whenever you get a new identity, go to that person's "previously downloaded products" page and re-download everything to your own hard drive! Oh, boy! Free stuff! Okay, yes, I'm being sarcastic again, but I hope this points out the severe security issues.

My point exactely, JohnRender :o)

Face it, JohnRender, you're aching to become me-for-a-day! You could be sweet and charitable and understanding without butchering your reputation for constant criticism, AND you could peek into my secret wishlist to see if any of YOUR products were on it. ;^) Carolly

The only time I have identity swapped on here was when ilona was having problems uploading one of her products. We all thought it was something to do with her local servers, so I tried the upload from the UK.

I personally don't think that this should have been responded to with "Just be careful with those ID's and session info." It should be fixed asap instead. This is a definite security risk and should be addressed. As was stated if a person could intentionally do this by sending session ids and info with a link and then cause an id switch (and no one said this was a fluke!) and get not only what they purchased free but also their merchant products. This takes away from the merchants and all it will take is one member doing this intentionally (if the switch works as it did with ernyoka and ziggie) to get teh merchants in a riot and make them feel there is a security risk here for their products. :-/

LSM, that is what I was trying to say with my first post. It was a BIT funny becourse I know ziggie (at least I think so ;o) ) and we would never steal each other's things, BUT the thing is that it can happen AT ALL! I don't like it :o(