Logging in, and seeing a different account's character selection screen

[CatsEyeXI]

• [x] I have paid attention to this example and will edit again if need be to not break the formatting, or I will be ignored
• [x] I have searched existing issues to see if the issue has already been opened
• [x] I have checked the commit log to see if the issue has been resolved since my server was last updated
• [x] I have read the Contributing Guide
• [x] I have specified what branch this happens on branch: base

Additional Information (Steps to reproduce/Expected behavior) :

im encountering an issue where under some undetermined condition, a user can log in and to another account's character selection screen. ive seen this before personally (dualboxing on the same machine), and someone posted a screenshot of it happening to them on my discord.

potentially this has happened to a player and his character was deleted. i have a backup from a few days ago, could you possibly provide any guidance on how exactly i can restore the his character data from a backup sql file? or at least which tables i would need to grab rows from...

[CatsEyeXI]

i suspect this may have something to do with the login server taking new connections in quick succession and getting them mixed up,

[zach2good]

This is one of the long term shortcomings of xiloader and our login server - we don't currently have any additional information available to differentiate different sessions coming from the same IP

[CatsEyeXI]

This is one of the long term shortcomings of xiloader and our login server - we don't currently have any additional information available to differentiate different sessions coming from the same IP

it's happened on at least 2 other occasions where users were not sourcing from the same IP, (the screenshots of the incorrect character selection screens were sent to my discord).

[Era-Lusiphur]

I can attest that I've not seen this behavior from players dog-piling a login server in the past, even on a server with a very large population (300+ players). When you tell a Discord full of anxious people the server's up, something like this would be exposed rather quickly.

I've only seen players presented with an inaccurate character selection screen when playing from the same IP. This happens on retail as well from time to time if you have multiple clients reach the same state in the lobby server or sometimes when your household disconnects.

On privates, I've never seen evidence of anyone actually being able to login or delete characters when this occurs.

[TeoTwawki]

up to present day, I've seriously never seen if happen outside of multiplexing combined with either logging in the extra accounts too soon, or trying to change characters without fully logging out (going back to the ffxi top pages doesn't work right since the session data gets overwritten) or Legion Servers fairly big Chinese players base (who apparently all use the same internet cafe??)

So if these folks aren't from same network or pc, then I got no explanation atm. At login time the lobby assigned a session to the socket opened by the loader, and those are unique at that moment - but the socket gets reused by any additional instances. Opening a 2nd session on that same socket was the only known way to trip the "wrong character list" error til now.

[CatsEyeXI]

[zach2good]

I had a little dig around inside xiloader and inside the map server: everything seems legit from start to finish.

I'm pretty certain then that this bug is confined to the login server. There doesn't look like any vector to be able to log into someone else's character - only see them on the character select screen.

At worst, their login would fail and they'd have to restart the game and everything would re-align.

I caught up with operators from Era and Eden; they also haven't seen anyone be able to access someone else's character - using the default bootloader.

As a fun side note: I once logged into retail and caught a couple of packets and messages from someone else's Ambuscade instance: so even retail is a little leaky (in a harmless way): ^ I don't have ArkEV unlocked

[CatsEyeXI]

I had a little dig around inside xiloader and inside the map server: everything seems legit from start to finish.

I'm pretty certain then that this bug is confined to the login server. There doesn't look like any vector to be able to log into someone else's character - only see them on the character select screen.

At worst, their login would fail and they'd have to restart the game and everything would re-align.

I caught up with operators from Era and Eden; they also haven't seen anyone be able to access someone else's character - using the default bootloader.

As a fun side note: I once logged into retail and caught a couple of packets and messages from someone else's Ambuscade instance: so even retail is a little leaky (in a harmless way): ^ I don't have ArkEV unlocked

is it possible that someone would be able to delete a character? since it doesn't require logging all the way into the game?

[RAIST5150]

Surprised we don't see more issues with more and more ISP's doing those screwy CGNAT and 464 tunnel schemes trying to get around needing more v4 address space.

One of my biggest gripes with TMO... can't port forward or anything because of their tunneling crap that makes a bunch of us share the same forward facing IPV4 addresses like a VPN service.

Would expect as long as the session ID's are protected and all, should just be a quirky glitch of sorts and not pose any real threat to other players accounts and all. Basically just getting a peek at someone's character model, location, etc.--something you could do through various sources in retail already.

[zach2good]

Presumably this doesnt happen anymore after Winter's login rewrite?

[zach2good]

Is this still an issue?