return to table of content

A decade-old Steam bug

WirelessGigabit
4 replies
1d12h

I feel that drawing weapons has gotten slower in CS2. I wish they dropped the 'pull back on the charging handle' every time you draw the gun. (and I miss my custom sprays from CS: Source).

But apart from that, even though I've played CS since 1.4 I have never ever had the bug mentioned above.

M3L0NM4N
2 replies
1d12h

If we’re nitpicking the gunplay (which I am perfectly okay with doing), how about adding in the fact that reloading with one in the chamber doesn’t give you a +1 round either? It’s like the concept of a chamber is completely ignored.

jakogut
1 replies
1d12h

Try Insurgency: Sandstorm. It's a completely different style of gameplay, but in addition to properly simulating a chamber, it also properly simulates magazines. Reloading retains a used magazine rather than dumping the ammo back into a fungible pool. Double tapping the reload key allows for dropping the mag for a slightly faster reload. Once you've cycled through your supply of fresh mags, loading a used mag leaves you with the same number of rounds as when you discarded it.

M3L0NM4N
0 replies
1d9h

Ah, I do play Squad and it is a similar system, as far as I know it’s only missing the double tap to drop the mag.

j5155
0 replies
1d12h

If I understand the blog post correctly, this bug only happens when you play CS2 during Washington nighttime.

mjevans
3 replies
1d12h

The real bug is that finalizing authentication isn't a hard requirement for beginning (non LAN) multiplayer.

BHSPitMonkey
2 replies
1d8h

Or that the session ticket verification flow needs connectivity between the game server and Valve's (apparently very slow at times) auth server.

Presumably a faster and more robust solution would be for the Steam client to obtain (and hang onto) a signed token (from Valve) with a lifetime of a few hours, and whenever you connect to a game server that token is sent over where it can be validated locally against a public cert issued by Valve (that comes distributed with the game server contents).

charcircuit
1 replies
1d7h

The problem with that approach is that a malicous server can replay tokens to impersonate players on another server.

GranPC
0 replies
1d3h

This exact thing happened about a decade ago, when someone released a tool called Serenity that allowed you to spoof your SteamID using recorded tickets. It was especially chaotic for the Garry's Mod community, since most servers have admin tools gated behind SteamID checks.

yreg
2 replies
1d11h

I'd love to get feedback

You start the article with a tl;dr for people who came from google searching for a solution for the issue. How considerate!

But then you proceed to tell them what not to do and hide the actionable advice in a single sentence within a kilometer long article :)

My suggestion would be to add the workaround to the tl;dr.

idbehold
0 replies
1d6h

Seriously, it's like a cruel joke. TL;DR - don't do this, instead read the entire article!

Dalewyn
0 replies
1d11h

a kilometer long article

About 25 Page Downs in computational units, or CTRL+F in freedom units.

LimeLimestone
2 replies
1d1h

I wish Valve improved their Steam app on macOS. On my MacBook with M1 Pro and 32GB of RAM it doesn't feel smooth. It runs like a poorly optimized Electron app.

rgovostes
0 replies
23h29m

Not sure how Steam is developed but it is basically the OG Electron app. They’ve been bundling the entirety Chromium since they launched on macOS in 2010, predating actual Electron by at least 3 years.

pas
0 replies
1d1h

it does so on windows 11 with a brand new Radeon 7000whatever and 32G RAM and SSD and ... you know, hardware, that they know about, due to the hardware survey they conduct yearly.

I have no idea how they even develop it. Are they all sedated?

Maybe it's just one more of the unforseen consequences of Valve time.

iancarroll
1 replies
1d11h

I believe the flow in the diagram is what Steam calls Session Tickets and is a bit more nuanced. The game client requests session tickets from Steam's server, then it provides the game server with a ticket proving they are a given Steam ID. The game server then has to go online to Steam's web API and verify it to ensure it has not been used multiple times or tampered with. It sounds like the CS2 client is not handling a delayed response for obtaining a session ticket.

The flow is detailed here[0]. The flow the article diagram suggests would be a bit concerning since an attacker could race a victim Steam ID to join a server, etc.

[0] https://partner.steamgames.com/doc/features/auth#3

iforgotpassword
0 replies
1d8h

Yes, it's most likely a session ticket which is not clearly expressed in the article, but the issue seems to be that the game sometimes gets interrupted before it will actually create a session ticket (or rather while waiting for the response from the slow steam servers), and then join the gameserver without having one.

dt3ft
1 replies
1d5h

Back in the day, I wrote a tool which used to display server list with active players and their scores so you could hop on a server when you see a friend is on. This was before steam existed (no such feature was available at the time).

While writing this tool, I sent a bad packet to a server I was testing with, and the server went down. I still have the source code (wrote it in delphi), I wonder if this thing can still crash servers, given that decade-old bugs exist :D

itsTyrion
0 replies
1d2h

Can you try? :D

wokwokwok
0 replies
1d11h

Great write up!

My only comment here is that the trail in the article and the conclusion don't quite make sense (well, they do, but you've kind of glossed over it slightly):

The way Counter-Strike is started: the blame factor is 90%

But also:

We could confirm that players world wide are facing the issue outside of Esportal and thought it indeed is caused by some maintenance in the middle of the night in Washington.

Those can't both be true.

If the blame is 90% about the way counter strike is started, then the issue wouldn't be distributed over the maint window.

Rather, it seems like this is the key part that should be highlighted in the summary:

So the last thing that happens before the game loop is started is that the Steam ID validation is initiated.

When the initialization of levelload is incomplete (speak: CS2 has not been fully loaded/initialized), the Steam3 validation is never initiated because it is the last thing that loop wants to do.

Which is to say, that when the `steam3` server is as slow as balls during a maint window, it makes this take longer, which means you're more likely to interrupt the loop by starting a game.

So when you say:

The way Counter-Strike is started: the blame factor is 90%

It's true.... but maybe it's also true to say:

State of the moon: blame factor is 3% <--- isn't quite right, since this is basically the maint window?

Maybe the advice should also be: 'and give is an extra couple of minutes during 13-17 PM CET, because Value does maint in that window'

...if I understood that correctly. :)

Either way, this has happened to me, but this 'just wait a while and let it finish loading' solution is by far the most useful sensible advice about it I've ever heard. Fantastic stuff.

timeimp
0 replies
1d12h

This was a fantastic write-up!

Loops are hard and its even more amusing how optimistic CS2.exe runs when you supply the server to connect to.

sssilver
0 replies
1d11h

What a treat to read

rkunde
0 replies
1d11h

Great write up, but it left me with a few questions:

* Is levelloadloop only executed when the game launches, not when joining a server and loading the map? * If the issues is that the loop is shut down before the steam auth process is started, why would the maintenance-related slowness matter?

renewiltord
0 replies
1d13h

Very detailed writeup. Nice work, man! Great read. It's been half a decade since I used to play CS:Go but this was a fun read!

ptrrrrrrppr
0 replies
1d6h

really enjoyed this writeup, love the style

pityJuke
0 replies
1d7h

This program covers the Steam platform and current games developed and published by Valve. Please review the reward tables and scope descriptions below. [...] > Effective 6/14/2023 10 AM PDT, CS:GO is out-of-scope for new reports. Reports for CS2 Limited Test are currently out-of-scope.

Valve suck at security, sure, but with the reading of the wider HOne description, I'd peronally read it as in scope. They haven't updated the "Scope" tab to exclude "csgo.exe", so clearly that isn't reliable.

(That being said: please Valve, update the damn thing.)

korhojoa
0 replies
1d10h

This was a great read. I wonder if the reason for the game client surprise crashing could be investigated the same way? Do the executable integrity checks run during runtime? What if one of those fails while it’s running, do you get a different disconnection message?

I feel like this should be rewarded in the same way as the GTA V takes forever to load-writeup. https://nee.lv/2021/02/28/How-I-cut-GTA-Online-loading-times...

gortok
0 replies
1d4h

In some paragraphs you put “a hat on a hat”. That is, you pile on the snark on top of an already meme-y paragraph and it feels like “too much” of something that works better subtly.

As others have stated, get to the point sooner.

coding123
0 replies
1d2h

STOP, DO NOT DO THIS

Of course Google will shorten this article and provide that list...

asynchronous
0 replies
1d13h

Great write up, amazingly thorough and interesting to read. We will watch your career with great interest

Von_Eagle
0 replies
1d11h

It sounds like the solution is to keep the game open for awhile before going into multiplayer? You say "until you see the game console or wait 5-10 seconds after you saw the intro video." How long is that specifically?

I don't play CS:GO but I've seen the "No user logon" error when playing other games online, specifically Portal 2 and It Takes Two.

I'd love to get feedback

Please put the solution in the tl;dr. The write-up is interesting for some folk, including many on HN (and myself) but the average person looking up this error could not care less about the intricacies of the code or network calls that cause the error, they just want to fix it.

(added in edit) The "You can skip to No user logon if you don’t care about the history." link that doesn't jump to the answer would be extra frustrating for someone who is just looking for the solution. From a pc there is a table of contents and the fact that there is a "Solution" section is great, but a phone user does not see that.