User blog:Dragonjet/DMM Cookies: August 2015

Many of you would have now known about the cookie problem on DMM. You might be experiencing it yourself, that's why you're reading this, but if not read on if you want to know what could've happened and what it means to all of us.

Do note that I will not be discussing the fix here, we already have workarounds on the Proxy article, and on Nanamin's blog post.

How do cookies actually work on DMM?
To make it easier to understand for everybody, let's visualize. Think of cookies as a physical ID (identification card). It is given to you when you first visit DMM and choose your language. You will use this ID on various "doors" later on so your browser keeps it for you.

If you use the same ID given to you at the front gates, you will normally not be able to enter lots of doors on the DMM website. This includes doors to netgames, the reason why you're here. This is why we'll need to "re-write" or "forge" your ID card. We will change it to something acceptable to the doors we want to enter.

This is where the devtools and consoles come in. Copying the 4-line "cookie code" and pasting on your console will re-write your ID.

So next time you visit the doors to online games like Kantai Collection, you present your newly "forged" ID card, and you are now allowed to enter.

So why am I not allowed on these doors anymore even if I forged the ID?
If you've read the previous section, you'll know that "ID cards" are the cookies, and the "doors" are the different pages on the DMM website.

Unfortunately, SOME of these doors do not give access via ID cards anymore. They will actually look at you and see if you're a gaijin (not literally though, we're still visualizing remember), the "how you look" phrase refers to where you're from based on IP address.

For these pages, ID cards (cookies) mean nothing. These strict pages will actually even RE-ISSUE you a new ID card! Re-issue means, your forged ID is no more and was again overwritten. Thus it again prevents you from accessing the other doors! Pages that you have access earlier are revoked if you refresh.

You said only "some" doors are strict, which are they?
True, not all pages are strict.

There are pages you can still access just by presenting the "forged" ID/cookies. Non-strict pages FORTUNATELY includes the gameplay pages. The one you visit to play the game and take API links from. Other non-strict pages include the netgame home, add friends, request list, etc.

On the other hand, strict pages include, game introduction pages (the one with usually large banners and buttons), netgame community pages, netgame inbox, etc. KCV users experience this since their default home page is the game introduction page for kancolle.

So there's no chance we'll see strict pages again?
You can still see them though, just use VPN.

''' Ah no I mean access stict pages without VPN... '''

Not that I can see. If you have an idea, feel free to comment down below, and if someone's interested enough, explore workaround options with them. I will not be joining you though, I'm getting too old for this.

So are our problems over?
NO! What if this is just [Part 1] of the total rollout of the "strict-ness" in all pages? What if they convert all DMM pages, including our gameplay pages? What if even going directly to the play page links will not honor your cookies and show you "Error Area". What if they do server-side checks all the time?

This is becoming Ancient Aliens full of questions, but WHAT IF? Will VPN be again required for all of us?

''' Nooo! Is that even possible? '''

You know dmm.co.jp, the DMM Japanese site? They had these mechanisms ever since, and cookies do not work on it. If you don't know dmm.co.jp, it is more known to players as where the R-18 counterparts of our games reside. Yes, you read it right, R-18 counterparts, including KanColle with might start another Great Flood of nosebleed.

''' So how is the Japanese site involved? '''

Well since playing on dmm.co.jp is already restricted, where cookies do not work, it means they can already do it and might be able to implement it even on the .com English site. If they do it, it will be the end of cookie method and everyone will resort back to proxies and VPN.

''' But DJ, cookies work on .co.jp for me! '''

gtfo. yes we do have reports that it works for other people but I don't know how they do it, nor do I have the interest to try and test or fix it.

 Is there a possibility they won't restrict English site 100% 

Well, I doubt they would 100% restrict DMM.com, because it's their English site. It is understood that .CO.JP has server-side checking and does not honor cookies. Well it is the "Japanese" site so it's normal to enforce being Japanese. I don't want to talk about this really, it becomes philosophical, but let us not just close our minds that these server-side checks might also be implemented on the .COM English site

''' DJ, You tricked me! '''

wat? oh about that kancolle R-18 counterpart? did you really check the .co.jp site for it? oh sorry, toplel. Only select games have R-18 counterparts.

DJ, your argument is invalid
That may be so. I based all of these findings on a single cookie (domain=.dmm.com;path=/netgame/), not testing all four of them. So everything that I said here might have been wrong. Tell me if it is. I'm too lazy to test all other cookies though.

DJ, I can take it, blast me with technical terms
Well for the first part on how cookies work on DMM, please check the Proxy article, I wrote the "How it works" section myself, and even have a diagram for it.

Lazy to visit the link? Let me copy paste some reminders on the technicals of cookies:
 * 1) When you visit DMM website, server reponse will include limited-access cookies (ckcy=2)
 * 2) You use devtools console to overwrite those cookies on computer (ckcy=1)
 * 3) Revisit DMM, your browser includes NEW cookies on the HTTP request
 * 4) DMM checks cookies on your HTTP request (ckcy=1), acknowledges it
 * 5) DMM returns you the page on its HTTP response

That's how cookies worked... before...

How does it work now?
1-3 of the steps above still applies, it changed on #4. Now DMM does not check cookies on your HTTP request.
 * 1) same
 * 2) same
 * 3) same
 * 4) Does not check cookies, instead it tries to determine where you are
 * 5) If you're outside of Japanm it will re-issue new cookies on HTTP response, and include a "reirect" instruction
 * 6) When your browser receives the response, browser will acknowledge new cookies they sent and will revert to (ckcy=2). Then browser will follow the redirect header and show you Error Area

So why is it I can still play?
srsly? Are we going back to this? read the first part. We already talked about that not all pages have this mechanism.