search

DoctorMcKay / node-steam-session

Node.js module for authenticating with the Steam auth server. Allows for generating refresh tokens and web auth cookies for use with steam-user and other packages.
https://www.npmjs.com/package/steam-session
MIT License
112 stars 20 forks source link

Expose LoginSession sessionId #18

Closed timvandam closed 1 year ago

timvandam commented 1 year ago

This change exposes the session id. This is handy because some steam endpoints require the sessionid to be in the post body

DoctorMcKay commented 1 year ago

"sessionid" is just a CSRF token. It doesn't matter what the value is, as long as it matches the sessionid cookie. There's no need to expose it here, you can always just generate a random value.

timvandam commented 1 year ago

I see. I thought this would be handy as getWebCookies already returns a sessionid cookie, and this would prevent having to remove that/extracting the session id from it

Didnt know it was just a csrf token though, interesting

DoctorMcKay commented 1 year ago

I can see the advantage to having a simple way to retrieve the value of the sessionid cookie, but this wouldn't accomplish that anyway. As far as I can tell, the "sessionid" input to https://login.steampowered.com/jwt/finalizelogin isn't actually necessary nor is it used for anything; it's only there because Steam sends it so we might as well send it too. Steam will generate a new sessionid cookie when it receives a request that is missing one.

The sessionid that we generate in getWebCookies doesn't get saved as a cookie on our end, so the cookie issued by Steam in response will be different (I haven't directly tested this, but I'm fairly confident in saying it).

Your best bet is probably just to generate your own random sessionid value, manually set it as a cookie, and then use that.