(2010.Sep.30 09:19 PM)zliplus Wrote: Actually, it logs you out when you log in from another location. Sites usually won't constantly check your security status due to overhead, so they'll just generate some sort of a keycode and store it (in cookies for low security). If emo grabs your cookie using his own website, he could potentially use it to get your session info and then manipulate the form data so it appears to be you playing.
Doing it this way means he's essentially piggybacking on your own session, which is why he said you need to be logged in. Of course, a cookie grabber could always steal your password, but that's more suspicious. This hack (which it is, rather than an exploit) is pretty obvious from any kind of back-end auditing though, since multiple IPs will be in one account simultaneously.
I make no promise of accuracy of any details, but the general idea should be right. I don't specialize in security or basic web apps.
spot on, i noticed this exploit was possible when i switched connections and i was still logged in to awakenedlands, even though my ip was from another country.
its just the PHP Session id which gets stored in a cookie in your browser.