mtasa-blue icon indicating copy to clipboard operation
mtasa-blue copied to clipboard

Published 20 hours ago verified publisher icon multitheftauto

MTA Session ID

Open Armisael2k opened this issue 1 year ago • 5 comments

Is your feature request related to a problem? Please describe.

Recently a hack has been released which can execute LUA code inside the client. For some reason every time a cheater join to a server using hacks and he needs to reconnect or change to another server it's necessary to restart MTA.

Describe the solution you'd like

Benefit: If an administrator detects any strange behavior from a player the Session ID can help to identify how many times the player has restarted their MTA. Therefore this can be implemented to custom anticheats.

Behavior: The Session ID should be generated each time the user open MTA, it should be immutable until the player opens the MTA again.

Describe alternatives you've considered

Functions Serverside: getPlayerSessionId(player) player: player:getSessionId

Variable player.sessionId

Additional context

I understand that the solution may be to force reconnect any player when he joins the server. But I think this may be an option to help identify those malicious users.

Security Policy

  • [X] I have read and understood the Security Policy and this issue is not about a cheat or security vulnerability.

Armisael2k avatar Jun 05 '24 01:06 Armisael2k

How exactly would this be helpful to identify malicious users? I personally don't see a point in this

MegadreamsBE avatar Jun 05 '24 01:06 MegadreamsBE

How exactly would this be helpful to identify malicious users? I personally don't see a point in this

In my opinion, too many changes to that identifier would be a red flag for that player.

Armisael2k avatar Jun 05 '24 02:06 Armisael2k

How exactly would this be helpful to identify malicious users? I personally don't see a point in this

In my opinion, too many changes to that identifier would be a red flag for that player.

Hmm, I disagree. Plenty of reason why a player would restart their game often. You'd have a lot of false positives

MegadreamsBE avatar Jun 05 '24 02:06 MegadreamsBE

How exactly would this be helpful to identify malicious users? I personally don't see a point in this

In my opinion, too many changes to that identifier would be a red flag for that player.

Hmm, I disagree. Plenty of reason why a player would restart their game often. You'd have a lot of false positives

I understand that point, but I can imagine situations where a new player joins the server with a new account and keeps joining and rejoining repeatedly. Maybe the ID by itself it doesn't do anything, but a constant change of ID might be a variable to consider, since the most common thing is that they do a /reconnect.

Anyway, I'll leave the idea on the table

Armisael2k avatar Jun 05 '24 02:06 Armisael2k

I can be wrong, but:

  1. what obstacles are stopping you doing this from code?
  2. About Lua injection, I guess you store sensitive changeable data in Web on frontend too? Without any serverside checking? Am I wrong?

Disinterpreter avatar Jun 05 '24 08:06 Disinterpreter