Minecraft Beta pre-1.8's lack of authentication: Difference between revisions

Latest revision as of 10:20, 9 February 2025

Minecraft is a video game made by Mojang Studios (owned by Microsoft and Xbox Game Studios since 2014). It was officially released on 18th September 2011, but development builds were publicly available since 17 May 2009.

Affected versions covered by this article range up to July 8, 2011.

Background[edit | edit source]

In version Beta 1.8, Mojang has changed the endpoint that's used for authentication on Minecraft servers from "www.minecraft.net" to "session.minecraft.net". Unknown amount of time later the original endpoint used for the authentication was shut down, breaking authentication support for several old Minecraft versions, despite no actual changes in the behaviour of the endpoint. The latter endpoint still works, despite being insecure (supports HTTP requests, with token being within the URL parameters) - this means that the shutdown is likely not a security concern.

Lack of authentication has caused several Minecraft servers to:

lose part of the playerbase due to a need of modding the game client (and server) to fix the authentication issue,
become completely insecure by allowing non-premium Minecraft users to join (e.g. opens the risk of botting the server, or brute-forcing user login passwords),
break the EULA of the game due to allowing non-premium Minecraft users to join their server.

Timeline[edit | edit source]

March 30th, 2014[edit | edit source]

A post titled "Cant connect to my beta 1.7.3 bukkit server" has appeared on bukkit.org forums - it seems to be the earliest mention of the issue, as the forum's staff member (at the time) has stated that "older MC versions (...) no longer authenticate properly with Mojang's servers".

September 10th, 2019[edit | edit source]

A user named "Rhys B" has reported a lack of authentication support for older versions of Minecraft (affecting versions preceding Beta 1.8) on Mojang's bug reporting website, where they've explained the root cause of the issue.

October 25th, 2021[edit | edit source]

Mojang Studios has left their first note on the issue, stating that they're "planning to work on this during the first quarter of 2022".

April 27th, 2022[edit | edit source]

The note has been changed, stating that they "will look into this during summer 2022", where Mojang staff member (at the time) stated that "it has been pushed back slightly" (see: latest comment under the archived version of the website).

Current situation[edit | edit source]

The note states that they "will look into this during October-December 2022", while the issue isn't resolved to this day. It's hard to tell whether the latest note is real or not, as the Mojang's Bug Tracker's moderator has stated that the original author has "added an official-looking notice without consent from bug tracker staff", but the previous notes are likely to be real (see: April 27th, 2022 on the timeline).

It's currently the most watched and upvoted issue in the "Mojang Web Services" category, with almost 300 votes and nearly 180 viewers.

Scale of the issue[edit | edit source]

Nostalgia related Minecraft servers, such as PuuCraft (6,000 players total, as stated on the website) and RetroMC (around 10 players daily) still exist and run on version Beta 1.7.3 of the game - that means they're unable to authenticate their players (whether they want to or not). Any sort of "nostalgia trips" with friends also require server and client modifications to prevent bad actors from accessing their server (assuming whitelist is enabled).

Community response[edit | edit source]

Securely fixing the game client[edit | edit source]

On November 2nd, 2021 user named "craftycodie" has made a pull request on Mojang's GitHub repository, LegacyLauncher, which is Mojang's way of running older versions of Minecraft in the modern launcher, that's capable of modifying the game's behaviour - it fixes issues and incompatibilities that had appeared over time without having to re-release older versions of the game. The pull request made by "craftycodie" fixes several issues, including authentication support. It's using Mojang's latest authentication methods (only in versions older than Beta 1.8 as of now, with a suggestion of improvement), which are way more secure in comparison to the no longer working approach. Mojang has never accepted nor responded to the pull request, despite it having 30 reactions, 28 approves and 27 comments from the GitHub community.

Securely fixing the game server[edit | edit source]

Released on October 1st, 2020 by user named "craftycodie", OnlineModeFix is one of the ways of fixing the authentication issue for Minecraft servers. While Mojang doesn't need to patch it, because it's easy for server owners to fix the authentication method by themselves, they didn't release any fixed server files, nor solutions to the problem.

Workarounds[edit | edit source]

While the core issue is caused by Mojang ignoring it, there are a few more or less secure ways of fixing the issue.

Client[edit | edit source]

Using an unofficial launcher[edit | edit source]

This is the easiest, widest (and in some cases most secure) fix for the client side of the issue.

Some trusted open-source Minecraft launchers such as Prism Launcher have implemented the craftycodie's pull request to their launchers. You can use them to bring back authentication to the game.

Using a proxy[edit | edit source]

You can proxy all requests coming from "http://www.minecraft.net/game/(...)" to "https://session.minecraft.net/game/(...)". Note that this is still less secure than the first method, unless you proxy the request to the Mojang's latest authentication method.

Editing the game's source code[edit | edit source]

You can edit the game's source code, to change the old request URL (see: using a proxy). Note that Minecraft source code is obfuscated and class/field/method names vary depending on the version of the game, so there is no strict guide on how to do it - you have to manually search for the URL to replace it or patch it for even more secure experience.

Server[edit | edit source]

Using open-source fixes[edit | edit source]

This is the easiest fix for the server side of the issue.

You can use OnlineModeFix to fix the issue - you can use it as a plugin, or even as the launcher in the vanilla version of the server.

Other ways[edit | edit source]

For other ways to address the issue, see client workarounds. Note that the full authentication link slightly differs between client and server.

References[edit | edit source]

@@ Line 3: / Line 3: @@
 Affected versions covered by this article range up to July 8, 2011.
-== Background ==
+==Background==
-In version Beta 1.8, Mojang has changed the endpoint that's used for authentication on Minecraft servers from "www.minecraft.net" to "session.minecraft.net". Unknown amount of time later the original endpoint used for the authentication was shut down, breaking authentication support for several old Minecraft versions, despite no actual changes in the behaviour of the endpoint. The latter endpoint still works, despite being insecure (Supports HTTP requests, with token being within the URL parameters) - this means that the shutdown is likely not a security concern.
+In version Beta 1.8, Mojang has changed the endpoint that's used for authentication on Minecraft servers from "www.minecraft.net" to "session.minecraft.net". Unknown amount of time later the original endpoint used for the authentication was shut down, breaking authentication support for several old Minecraft versions, despite no actual changes in the behaviour of the endpoint. The latter endpoint still works, despite being insecure (supports HTTP requests, with token being within the URL parameters) - this means that the shutdown is likely not a security concern.
 Lack of authentication has caused several Minecraft servers to:
-* lose part of the playerbase due to a need of modding the game client (and server) to fix the authentication issue,
+*lose part of the playerbase due to a need of modding the game client (and server) to fix the authentication issue,
-* become completely insecure by allowing non-premium Minecraft users to join (e.g. opens the risk of botting the server, or brute-forcing user login passwords),
+*become completely insecure by allowing non-premium Minecraft users to join (e.g. opens the risk of botting the server, or brute-forcing user login passwords),
-* break the EULA of the game due to allowing non-premium Minecraft users to join their server.
+*break the EULA of the game due to allowing non-premium Minecraft users to join their server.
-== Timeline ==
+==Timeline==
-=== Mar 30, 2014 ===
+===March 30th, 2014===
 A post titled "[https://bukkit.org/threads/cant-connect-to-my-beta-1-7-3-bukkit-server.250510/ Cant connect to my beta 1.7.3 bukkit server]" has appeared on bukkit.org forums - it seems to be the earliest mention of the issue, as the forum's staff member (at the time) has stated that "[https://bukkit.org/threads/cant-connect-to-my-beta-1-7-3-bukkit-server.250510/#post-2370332 older MC versions (...) no longer authenticate properly with Mojang's servers]".
-=== September 10th, 2019 ===
+===September 10th, 2019===
 A user named "[https://web.archive.org/web/20200414095750/https://bugs.mojang.com/browse/WEB-1429 Rhys B]" has [https://bugs.mojang.com/browse/WEB-1429 reported a lack of authentication support] for older versions of Minecraft (affecting versions preceding Beta 1.8) on Mojang's bug reporting website, where they've explained the root cause of the issue.
-=== October 25th, 2021 ===
+===October 25th, 2021===
 Mojang Studios has left their [https://web.archive.org/web/20211204004633/https://bugs.mojang.com/browse/WEB-1429 first note] on the issue, stating that they're "planning to work on this during the first quarter of 2022".
-=== April 27th, 2022 ===
+===April 27th, 2022===
-The note [https://web.archive.org/web/20220429191927/https://bugs.mojang.com/browse/WEB-1429 has been changed], stating that they're "planning to work on this during the first quarter of 2022", where Mojang staff member (at the time) stated that "it has been pushed back slightly" (see: latest comment under the [https://web.archive.org/web/20220429191927/https://bugs.mojang.com/browse/WEB-1429 archived version of the website]).
+The note [https://web.archive.org/web/20220429191927/https://bugs.mojang.com/browse/WEB-1429 has been changed], stating that they "will look into this during summer 2022", where Mojang staff member (at the time) stated that "it has been pushed back slightly" (see: latest comment under the [https://web.archive.org/web/20220429191927/https://bugs.mojang.com/browse/WEB-1429 archived version of the website]).
-== Current situation ==
+==Current situation==
 The note states that they "will look into this during October-December 2022", while the issue isn't resolved to this day. It's hard to tell whether the latest note is real or not, as the Mojang's Bug Tracker's moderator has stated that the original author has "[https://bugs.mojang.com/browse/WEB-1429?focusedId=1276309&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-1276309 added an official-looking notice without consent from bug tracker staff]", but the previous notes are likely to be real (see: April 27th, 2022 on the timeline).
 It's currently the most [https://bugs.mojang.com/projects/WEB/issues/WEB-1429?filter=allopenissues&orderby=watchers+DESC%2C+priority+DESC%2C+updated+DESC watched] and [https://bugs.mojang.com/projects/WEB/issues/WEB-6665?filter=allopenissues&orderby=votes+DESC%2C+priority+DESC%2C+updated+DESC upvoted] issue in the "Mojang Web Services" category, with almost 300 votes and nearly 180 viewers.
-== Scale of the issue ==
+==Scale of the issue==
 Nostalgia related Minecraft servers, such as [https://puucraft.net/ PuuCraft] (6,000 players total, as stated on the website) and [https://www.retromc.org/ RetroMC] (around [https://statistics.retromc.org/ 10 players daily]) still exist and run on version Beta 1.7.3 of the game - that means they're unable to authenticate their players (whether they want to or not). Any sort of "nostalgia trips" with friends also require server and client modifications to prevent bad actors from accessing their server (assuming whitelist is enabled).
-== Community intervention ==
+==Community response==
-=== Securely fixing the game client ===
+===Securely fixing the game client===
 On November 2nd, 2021 user named "craftycodie" has [https://github.com/Mojang/LegacyLauncher/pull/33 made a pull request] on Mojang's GitHub repository, [https://github.com/Mojang/LegacyLauncher/ LegacyLauncher], which is Mojang's way of running older versions of Minecraft in the modern launcher, that's capable of modifying the game's behaviour - it fixes issues and incompatibilities that had appeared over time without having to re-release older versions of the game. The pull request made by "craftycodie" fixes several issues, including authentication support. It's using Mojang's latest authentication methods (only in versions older than Beta 1.8 as of now, with a suggestion of improvement), which are way more secure in comparison to the no longer working approach. Mojang has never accepted nor responded to the pull request, despite it having 30 reactions, 28 approves and 27 comments from the GitHub community.
-=== Securely fixing the game server ===
+===Securely fixing the game server===
 Released on October 1st, 2020 by user named "craftycodie", [https://github.com/craftycodie/OnlineModeFix OnlineModeFix] is one of the ways of fixing the authentication issue for Minecraft servers. While Mojang doesn't need to patch it, because it's easy for server owners to fix the authentication method by themselves, they didn't release any fixed server files, nor solutions to the problem.
-== Workarounds ==
+==Workarounds==
-While the core issue is caused by Mojang ignoring the playerbase, there are a few more or less secure ways of fixing the issue.
+While the core issue is caused by Mojang ignoring it, there are a few more or less secure ways of fixing the issue.
-=== Client ===
+===Client===
-==== Using an unofficial launcher ====
+====Using an unofficial launcher====
 This is the easiest, widest (and in some cases most secure) fix for the client side of the issue.
 Some trusted open-source Minecraft launchers such as [https://github.com/PrismLauncher/PrismLauncher/pull/443 Prism Launcher] have implemented the craftycodie's [https://github.com/Mojang/LegacyLauncher/pull/33 pull request] to their launchers. You can use them to bring back authentication to the game.
-==== Using a proxy ====
+====Using a proxy====
 You can proxy all requests coming from "<nowiki>http://www.minecraft.net/game/(...)</nowiki>" to "<nowiki>https://session.minecraft.net/game/(...)</nowiki>". Note that this is still less secure than the first method, unless you proxy the request to the Mojang's [https://minecraft.wiki/w/Mojang_API#Verify_login_session_on_client latest authentication method].
-==== Editing the game's source code ====
+====Editing the game's source code====
 You can edit the game's source code, to change the old request URL (see: using a proxy). Note that Minecraft source code is obfuscated and class/field/method names vary depending on the version of the game, so there is no strict guide on how to do it - you have to manually search for the URL to replace it or patch it for even more secure experience.
-=== Server ===
+===Server===
-==== Using open-source fixes ====
+====Using open-source fixes====
 This is the easiest fix for the server side of the issue.
 You can use [https://github.com/craftycodie/OnlineModeFix OnlineModeFix] to fix the issue - you can use it as a plugin, or even as the launcher in the vanilla version of the server.
-==== Other ways ====
+====Other ways====
 For other ways to address the issue, see client workarounds. Note that the full authentication link slightly differs between client and server.
 ==References==
 {{reflist}}
-[[Category:Name of associated product, service, website, software, product line or company goes here]]
+[[Category:Minecraft]]