One of the PCs is too much powerful, how can I handle it? [4th tier one-shot session]

I’m going to run a 4th Tier One-Shot very soon, I have told all my players to build a 20th level character. One player built a powerful artificer (armorer subclass) that outshines every other PC, I will provide his saves, AC and so on:


  • Strength: +13
  • Dexterity: +7
  • Constitution: +17
  • Intellogence: +19
  • Wisdom: +16
  • Charisma: +6

AC: 26

HP: 183

Temporary HP: 20

Spell DC save: 20

Spell attack bonus: +12

I am perplexed and, to be frank, a little frightened by those saves, the AC too. I have also double checked his character sheet and nothing is wrong or miscalculated.

Should I nerf this build? If Yes, how?

I did not know well this class, I think I made an error allowing it, didn’t I?

How would you balance this situation?

PS: I’d like to specify that I am NOT a long experienced DM, I have run other epic level one-shots before and those went fine, but I clearly lack of experience.

PPS: if necessary I’ll post the complete character sheet.

Session Management Verification Requirements from ASVS 3.0.1 and SOAP web services

I am working on a new project with a team of developers. The SOPA web services will be the main channel to publish the services.
I’d like to make secure those services from the begging and give the developers the guidelines on how to securely develop. I’d like to assign requirements from chapter “Session management verification” of OWASP ASVS 3.0.1 for SOAP web services. But those requirements are specialized for the Web application. So could you advise me which one of them are adequate for SOAP?

How to deal with tension created between characters after role-play session?

I am the DM for a long running game, we are going on 2 years, and while there was a rough start and a few changed characters, we have been in a good place. There was a Tiefling Barbarian (original), Dragonborn Paladin, and Human Fighter/Warlock. About 2 months ago, we added a Dragonborn Wizard to the party, and it has been a welcome addition thusfar. Tonight we had a relatively long roleplay section, first a meeting with a prominent NPC who has been around for a while, and then the characters discussed stories and backstories around dinner in a tavern. During this roleplay session, the wizard, fully within his character, used suggestion to entice backstory from the Tiefling (who has given basically nothing up until this point). This has created tension within the party (in game only), and has the potential to completely derail the campaign. I want to respect player agency, and I trust the players to not blow this out of proportion, but I also don’t want to throw away an entire main quest due to this. I am conflicted, and thus am requesting some differing views on the matter. Thanks in advance. Please feel free to request any information, I am happy to help.

Is it safe to save a user’s email into php session variable for later use?

I’m in the process of creating a password reset functionality for my project. I currently have my website send a password reset link to the user’s email if they request it and validates the link properly when clicked (checks for selector and validator tokens and not expired) before displaying the form to create a new password. The problem I’m having is finding a way to updating the correct user’s password in the database once they submit the new password. One method I have thought of to achieving this, is to get the email associated with the matched selector and validator tokens in my password reset database table and storing it into a session variable so it can be accessed by another php file to update that user’s password in my users database table. I’m wondering if this approach has any security risks to the user or is it a valid method?

Firefox: What would be more secure/private: storing session cookies or saving password in the browser?

I am wondering, assuming the latest version of Firefox, which of the following options would be more preferable security-wise (e.g. assess and/or password to user account will be stolen) and which one privacy-wise (exposing user to the least advertisement tracking etc.):

  1. Storing session cookies (i.e. logging in and never logging out), but not saving password & username in browser built-in Password Manager.
  2. Saving password & username in built-in Password Manager (without Master Password) and setting cookies and site data to be cleared when browser is closed.

P.S.: I am aware that using Master Password for password storage will increase security of the stored passwords. Though I am not wondering how to improve given options, but would like to asses them “as is”.

Is it safe to create a session from an auth token?

My server is using Django Rest Framework. My mobile app logs in using token authentication. However, I also have a webview in the mobile app where I need to log in. I can’t inject the auth token on every request in the webview, so I use the auth token for authenticating this endpoint and then create a session from it. This is the code:

class CreateSessionView(APIView):     authentication_classes = [TokenAuthentication]     permission_classes = (permissions.IsAuthenticated,)     throttle_classes = [ScopedRateThrottle]     throttle_scope = 'auth_token_verify'      def get(self, request, format=None):         login(request, request.user, backend='django.contrib.auth.backends.ModelBackend')         return redirect(reverse('home')) 

My questions are:

  1. Is there a vulnerability here? If so, how can I secure it?

  2. Do I need CSRF?

Saving Python session data to a file

I’m doing a dockerized tool which logs in to a website for N users and performs N actions. The tool is coded using Python. If there are multiple users, the sign in takes time. However there are some websites which have a longer session expiry. In those cases,

s = requests.session() 

Is it okay from a security perspective to save the session data in a file so that I can perform the actions straight away? Also I’ll check whether the session is invalidated or not everytime I get the data from the file. If not, what’s the best way to solve this problem?

Hreflang and canonical problem on session parameters

We have a oxid onlineshop with different domains/subdomains depending on currency and language.

Now we have a problem with hreflang tags, because of parameters

1) the session of the basket between domains is set by ?force_sid=(random string for session id)

2) for different views in categories like ?ldtype=grid&_artperpage=100&pgNr=0&cl=alist&searchparam=&cnid=3ae4a2e1dd7501139.35363255

if the url is accessed without the parameters then the canonical and hreflang tags are correct.

If the parameters are set then the canonical and hreflang tags are wrong.

What are the correct tags for example: ?

We have:

<link rel="canonical" href=""> <link rel="alternate" hreflang="x-default" href=""> <link rel="alternate" hreflang="de" href=""> <link rel="alternate" hreflang="de-CH" href=""> <link rel="alternate" hreflang="fr-CH" href=""> <link rel="alternate" hreflang="de-AT" href=""> <link rel="alternate" hreflang="fr" href=""> <link rel="alternate" hreflang="en" href=""> <link rel="alternate" hreflang="es" href=""> 

How is it possible for people to reverse a GoToAssist session? [duplicate]

I am puzzled by how people on Youtube bait scammers into connecting to their machines and end up “reversing” the connection on them. Essentially controlling the scammer’s PC.

Is this done via reverse shells ? Or do you get them to open up a malicious application, ie do you have to use a dropper ?

I want to know how is this possible.

Failed SSL Handshake due to IP change and session resumption

Is using the source IP address in generating the session ID by servers common? I’ve seen this behavior with a banking website. You visit the website with IP, SSL session is generated and used by the browser for SSL session resumption. Now if your IP changes to, and if you just refresh the page, the browser will error out. Firefox will complain about BAD_RECORD_MAC, chrome will just say ssl error. I still don’t understand exactly why this happens, because according to the RFC if the session is not recognized a full handshake should be initiated but here everything just fails.

Using firefox with ssl session identifiers disabled doesn’t have this problem which is why I think the server is using the source IP to create the session.