search

SteamRE / SteamKit

SteamKit2 is a .NET library designed to interoperate with Valve's Steam network. It aims to provide a simple, yet extensible, interface to perform various actions on the network.
GNU Lesser General Public License v2.1
2.63k stars 497 forks source link

Add support for specifying the source IP address #83

Closed glen-84 closed 9 years ago

glen-84 commented 10 years ago

We are using SteamBot and we'd like to try using multiple IP addresses, but SteamKit doesn't allow for this.

One example is the use of a WebClient in WebAPI.AsyncInterface. In order for this to work, we'd need to be able to pass an IPAddress to WebAPI.GetInterface(). AsyncInterface would then need to use an HttpWebRequest or a subclassed WebClient (see here).

Thoughts?

Netshroud commented 10 years ago

What's your use-case? Why do you need to bind to specific source IP addresses?

glen-84 commented 10 years ago

http://www.reddit.com/r/SteamBot/comments/2f6d61/does_steam_do_any_rate_limiting_based_on_ip/

We want to try running some of the bots on different IP addresses to see if this helps.

Netshroud commented 10 years ago

You are limited to one hundred thousand (100,000) calls to the Steam Web API per day. Valve may approve higher daily call limits if you adhere to these API Terms of Use. - Source

Have you tried asking nicely, before going around their back to try circumvent security measures?

glen-84 commented 10 years ago

As far as I know, SteamBot does not use an API key for trading, so it's unlikely that we hit the limit just from loading inventories, etc.

In addition to this, support from Valve is generally non-existent, and it's unclear what their views are with regard to bots.

xPaw commented 10 years ago

It's not using WebAPI for trading at all (besides trade offers), so your issue is not related to SteamKit directly.

glen-84 commented 10 years ago

@xPaw ... How is it not related? SteamBot uses SteamKit to authenticate the bot, and SteamKit cannot be configured to use a specific IP address. This has nothing to do with Web API keys.

xPaw commented 10 years ago

You pointed to WebAPI in your initial report. Either way, you most likely can force the whole application to use a separate ip address.

voided commented 10 years ago

All interactions with a trade session should already be done by SteamBot through HttpWebRequests or similar. Have you tried specifying the bind IP address there?

glen-84 commented 10 years ago

SteamBot uses WebAPI.GetInterface ("ISteamUserAuth")) (no API key required) in SteamWeb.Authenticate.

See http://www.reddit.com/r/SteamBot/comments/2kk3en/using_multiple_ip_addresses/

voided commented 10 years ago

That's for login to web, not for trade interactions. On Oct 29, 2014 1:11 PM, "glen-84" notifications@github.com wrote:

SteamBot uses WebAPI.GetInterface ("ISteamUserAuth")) (no API key required) in SteamWeb.Authenticate.

See http://www.reddit.com/r/SteamBot/comments/2kk3en/using_multiple_ip_addresses/

— Reply to this email directly or view it on GitHub https://github.com/SteamRE/SteamKit/issues/83#issuecomment-60975403.

glen-84 commented 10 years ago

@VoiDeD I know, but the session is tied to the IP address (AFAIK), so if you authenticate using SteamKit with the default IP, and then you trade with another IP (using the same session), you get:

[x44 2014-10-28 11:35:00] WARN: Cookies are invalid. Need to re-authenticate.
voided commented 10 years ago

Can you provide more evidence? I don't know what "cookies are invalid" means, and it sounds like you're basing your claims on the guesswork of SteamBot. On Oct 29, 2014 1:27 PM, "glen-84" notifications@github.com wrote:

@VoiDeD https://github.com/VoiDeD I know, but the session is tied to the IP address (AFAIK), so if you authenticate using SteamKit with the default IP, and then you trade with another IP (using the same session), you get:

[x44 2014-10-28 11:35:00] WARN: Cookies are invalid. Need to re-authenticate.

— Reply to this email directly or view it on GitHub https://github.com/SteamRE/SteamKit/issues/83#issuecomment-60978527.

glen-84 commented 10 years ago

SteamBot calls UserWebLogOn() which calls SteamWeb.Authenticate() which uses WebAPI.GetInterface ("ISteamUserAuth"). This returns a sessionId that is passed to the TradeManager and used for trading.

Cookies are verified in Bot.CheckCookies(), and I believe that the sessionid and/or steamLogin cookie is invalidated by a change in IP address.

@scholtzm Am I wrong here?

voided commented 10 years ago

The sessionid cookie is simply used as a CSRF token, have you tried simply requesting a new token for any subsequent requests on a new IP address? Additionally, you could very likely just provide whatever sessionid value you like, as long as the values in the cookie and the ajax request match.

This would all require modifications to SteamBot, however, as that project has made some poor assumptions on how steamcommunity web requests and such operate.

scholtzm commented 10 years ago

Since I have been mentioned, here's how SteamBot's cookie handling works right now:

This system is based on logging the HTTP traffic. It works although it might not be the "correct" way to do it.

voided commented 9 years ago

I think I'm going to close this issue unless there's some legitimate and pressing need to bind to a specific source address.

On the topic of the sessionid cookie, that's definitely only used as a CSRF token, and you can freely pass any values you like (as long as the cookie and request parameter match) so it's not tied to the local IP address of the client at all.