A sustained spell should require multiples drain resistance checks?

We are playing a Shadowrun 5 campaign. When a mage cast a spell, it should roll a Drain resistance check. The GM is requiring multiple drain checks, one for each turn the mage sustain the spell (in case of sustained spells). But I don’t think that a spell requires multiples checks, just one right after casting the spell. What’s the correct rule?

Getting numerous HEAD requests by Java user agents to resources that require authentication to view within a web application. Should I block them?

I have recently started using Cloudflare’s firewall in front of a web application. This app has a limited user base of selected applicants and they must log in to view anything. There is no public registration form and nothing within the portal can be accessed without an account.

Since moving the DNS to Cloudflare I can see we are receiving numerous daily HEAD requests to paths that are only accessible within the portal.

These requests come from one of two groups of IP addresses from the United States (we are not a US-based company; our own hosting is based in AWS Ireland region and we’re pretty sure at least 99% of our users have never been US-based):

Java User Agents

  • User agent is Java/1.8.0_171 or some other minor update version.
  • The ASN is listed as Digital Ocean.
  • The IP addresses all seem to have had similar behaviour reported previously, almost all against WordPress sites. Note that we’re not using WordPress here.

Empty User Agent

  • No user agent string.
  • The ASN is listed as Amazon Web Services.
  • The IP addresses have very little reported activity and do not seem at all connected to the Java requests.

Other Notes

  • The resources being requested are dynamic URLs containing what are essentially order numbers. We generate new orders every day, and they are visible to everyone using the portal.
  • I was unable to find any of the URLs indexed by Google. They don’t seem to be publicly available anywhere. There is only one publicly accessible page of the site, which is indexed.
  • We have potentially identified one user who seems to have viewed all the pages that are showing up in the firewall logs (we know this because he shows up in our custom analytics for the web app itself). We have a working relationship with our users and we’re almost certain he’s not based in the US.

I am aware that a HEAD request in itself is nothing malicious and that browsers sometimes make HEAD requests. Does the Java user agent, or lack of a user agent in some cases, make this activity suspicious? I already block empty user agents and Java user agents through the firewall, although I think Cloudflare by default blocks Java as part of its browser integrity checks.


  1. Is there any reason why these might be legitimate requests that I shouldn’t block? The fact it’s a HEAD request from a Java user agent suggests no, right?

  2. One idea we had is that one of the users is sharing links to these internal URLs via some outside channel, to outsource work or something. Is it possible some kind of scraper or something has picked up these links and is spamming them now? As I say, I was unable to find them publicly indexed.

  3. Is it possible the user we think is connected has some sort of malware on their machine which is picking up their browser activity and then making those requests?

  4. Could the user have some sort of software that is completely innocent which would make Java based HEAD requests like this, based on their web browsing activity?

Any advice as to how I should continue this investigation? Or other thoughts about what these requests are?

Does “Claw at the Moon” require the character to make a normal attack roll in addition to the Jump check?

Claw at the Moon’s description states the following:

ToB p.86

As part of this maneuver, you attempt a Jump check to leap into the air and make a melee attack that targets your foe’s upper body, face, and neck. The Jump check’s DC is equal to your target’s AC. If this check succeeds, your attack deals an extra 2d6 points of damage. If this attack threatens a critical hit, you gain a +4 bonus on your roll to confirm the critical hit.

If your check fails, you can still attack, but you do not deal extra damage or gain a bonus on a roll to confirm a critical hit. The maneuver is still considered expended.

I have two interpretations of this maneuver’s effect:

  1. You get to make a Jump check and a normal attack roll, if the check fails, you only take into account the normal attack roll and don’t have any additional bonuses.
  2. You only make the Jump check to determine the attack roll (since the DC of the roll is the enemy’s AC, it would make sense), and only if you fail, you can make a normal attack roll and attack normally.

Logic dictates that the first interpretation is the correct one and that the second one is a tad overpowered, but I’ve been wrong before. Which interpretation is the correct one?

What are Game engines that don’t require GPU? [closed]

my computer isn’t really great and I was wondering if there are game engines that do support development on my laptop’s specs, while there not trash, most game engines require Gpu which I unfortunately don’t have.

I’ve seen libGDX and Monogame which are java and C# game engines respectively that does meet with my specs.

My development experience isn’t low as I have made a couple of simple games and an AI in python. And have low experience java and C# (sorting algos)

If any of you know any Game engines with the specs below I’ll be grateful, thanks!

My specs are : 1.8 GHz processor 8 GB ram 256 GB SSD No GPU

PS : it’ll be great if it’s runs C# or java as I have experience in them but any other languages will work, thanks

Thanks in advance!

Can the Clockwork Amulet be used for all actions that require an attack? (melee, ranged, spells, etc)

Can the Clockwork Amulet be used for all actions that require an attack? Can it be used for melee, ranged attacks, spells that cause damage, any monster attack?

Because for me it is not obvious, for example, (from the lore side) that the Mechanus will affect attacking spells that cause damage.

Does the spell Earth Tremor require loose stone?

The condition for the second effect of Earth Tremor reads (emphasis mine):

If the ground in that area is loose earth or stone

Loose earth is adequately explained in this question referencing the Mold Earth cantrip.

My question is: does “loose” apply to both earth and stone, or does Earth Tremor’s second effect work on non-loose stone, such as a solid stone floor?

Why doesn’t OIDC hybrid flow require nonce

The OIDC standard requires the nonce parameter in the authentication request when using the implicit flow:

nonce REQUIRED. String value used to associate a Client session with an ID Token, and to mitigate replay attacks.

However in the hybrid flow the nonce is not required. Yet the id_token is directly returned in the response and also susceptible to injection or replay.

Why is the nonce parameter not required in hybrid flow. What secures hybrid flow from injection or replay of id_token?