Uploaded image for project: 'Minecraft: Java Edition'
  1. Minecraft: Java Edition
  2. MC-200782

Old Authentication URL in client JARs does not exist anymore

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Resolution: Duplicate
    • Affects Version/s: 1.16.3
    • Fix Version/s: None
    • Labels:
      None
    • Confirmation Status:
      Unconfirmed
    • Category:
      (Unassigned)

      Description

      This does NOT affect release 1.16.3 - it affects all versions pre-release 1.0
      I'm unable to open a bug report for any version other than 1.16.3 or 1.17 for some reason.

      All versions pre-release 1.0 are unable to login to servers properly forcing all server owners to run the servers in offline-mode. Server owners are able to fix this issue by updating the JAR files with the proper authentication URL, but that fixes only half the problem since client jars must also be updated. 

       

      Auth URLs in the client JAR files should be updated to:

      https://sessions.minecraft.net/game/joinserver.jsp?user={USERNAME}&sessionId={TOKEN}&serverId={SERVER ID}
      

      instead of:

      http://minecraft.net/game/joinserver.jsp?user={USERNAME}&sessionId=TOKEN}&serverId={SERVER ID}
      

      The above would fix the client-side issue and validate that a user has joined the server. Server JARs can be edited by server owners or a local DNS + proxy system can be setup instead to fix the server-side issue, but a fix would require either forwarding or editing the URLs from

      http://minecraft.net/game/checkserver.jsp?user={USERNAME}&serverId={SERVER ID}
      

      to:

      https://sessions.minecraft.net/game/checkserver.jsp?user={USERNAME}&serverId={SERVER ID}
      

      This would allow for proper session-checking and prevent server owners from running in offline mode which allows cracked players to join without any form of authentication. There exists a rather large community of servers and players still on many older beta versions, most commonly Beta 1.7.3, which suffer from this issue. Instead, they're forced to use a 3rd party in-game authentication and handle credentials which is a security issue not to mention pirated (cracked) players could still join anyways.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              DoubleCheck DoubleCheck
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: