For the past 6 months or longer if you try to sign into thesixtyone.com it will just sit and be “pondering”, “debating”, “speculating”, “introspecting”, “dreaming”, “contemplating”.
For the longest time I was unable to use my account on my laptop, and the only time listening to thesixtyone counted towards my profile was at home on my desktop, and every time I ran across a new song I wanted to put onto a play list I would have to wait until I got home to do it.
I found out that if I copied the session cookie from my desktop onto my laptop that I could then use my account! : )
This is great if you are in the same situation as me if you are logged in at one location but not the other, but does this mean that everyone else who doesn’t have an account logged in is out of luck? I always feared that eventually my session would end, and I would forever loose my account at thesixtyone, because I would never be able to log back in to it.
I quickly figured out how valuable my session cookie was to me so I copied it over into text document and saved it to my dropbox, now whenever I have a new OS, computer, or device I can always get back into my account.
Luckily there a few things we can exploit to get this working for anyone, as I just found out about today.
As some people already know, you can still log into old.thesixtyone.com.
Off Topic: If you know of the history behind thesixtyone, all the devoted users were very angry about the new changes with thesixtyone, even though it looks nice and has images, one of the biggest issues was the lack of a social experience, and dumbing down of user profiles and overall UI.
You cannot simply log into old.thesixtyone.com and have thesixtyone.com work.
Instead we have to exploit session cookies.
Here’s the fix
Log into your account at old.thesixtyone.com this will generate a session id that we need.
In IE you can copy and paste this into the URL bar
This will grab your session id
With Chrome and IE if you used the address bar to paste the code in, you should now see your session id on a blank white screen. If you used the console it should have printed it out in the console window.
Copy your session id and put it somewhere you can retrieve for the next step.
Head over to thesixtyone.com
Using the same method as above to run code, use the code below to set your session id. You will need to change it where it says “YOUR SESSION ID” with the session id you got from Part 1.
Now you should be able to refresh your page and you will be logged into thesixtyone! : D
Why Does This Work?
Thesixtyone uses the same server environment and database for the old.thesixtyone and the normal thesixtyone. Some websites will do some sanity tests which prevent you from using a session id across multiple IP addresses, browsers, and often will only allow one session id per user. With thesixtyone you can have multiple sessions which means if you logged into your laptop you could still stay logged in at your desktop because each one has its own unique session id linked to your account. Luckily for us though we can use the same session id from old.thesixtyone and it will work on the normal sixtyone because they are within the same environment. Having the same session ID across multiple browsers, or devices is not normal, but in our case it works perfect for us.
Blah blah blah… going off topic here….
For example Blizzard amazingly was not very secure about their sessions, so hackers could “session hijack” people, using the same idea here. I believe now they check that the session is coming from the same IP Address, thank god; amazing that such a large high up company would let something like this fly. Many game authentication systems have also been binding accounts to machine hardware, which is very useful, such as how Steam will make you enter a 5 digit code that is emailed to you when trying to add a new computer to your account, so that even if someone gets your username and password to Steam it requires that you access your email account to grab the generated code. There are still very dedicated methods to obtaining or spoofing hardware IDs, but it makes it much more complicated and tedious which means less automation and less profit for a hacker, it would essentially require singling out a target and stalking them as prey, if you knew a person that well and had physical access to their PC you would have a much more solid and easier chance by just asking the person to use their account… lol