Closed timvandam closed 1 year ago
"sessionid" is just a CSRF token. It doesn't matter what the value is, as long as it matches the sessionid cookie. There's no need to expose it here, you can always just generate a random value.
I see. I thought this would be handy as getWebCookies already returns a sessionid cookie, and this would prevent having to remove that/extracting the session id from it
Didnt know it was just a csrf token though, interesting
I can see the advantage to having a simple way to retrieve the value of the sessionid cookie, but this wouldn't accomplish that anyway. As far as I can tell, the "sessionid" input to https://login.steampowered.com/jwt/finalizelogin isn't actually necessary nor is it used for anything; it's only there because Steam sends it so we might as well send it too. Steam will generate a new sessionid cookie when it receives a request that is missing one.
The sessionid that we generate in getWebCookies doesn't get saved as a cookie on our end, so the cookie issued by Steam in response will be different (I haven't directly tested this, but I'm fairly confident in saying it).
Your best bet is probably just to generate your own random sessionid value, manually set it as a cookie, and then use that.
This change exposes the session id. This is handy because some steam endpoints require the sessionid to be in the post body