Do not share POESESSID values with other people

December 16, 2022

Some third-party tools ask that you give them your Path of Exile website session cookie in order for them to be able to function, without explaining the significant risks this exposes you to. This cookie value gives the recipient almost complete access to your Path of Exile account on the website, enabling them to do almost any action including viewing personal information, spending your points, or posting on the forums as you.

While sharing any login information with other people is specifically against Path of Exile’s terms of use, we haven’t yet proactively banned any users for sharing their POESESSID values. However, if your session is misused and someone does something bad on your account that results in a ban, then the intentional disclosure of your account credentials is only going to make the situation worse. Your account is valuable to you. Protect it and don’t give other people access.

Note that while you may trust the third-party tools you are using currently, there is nothing to stop someone updating them in the future to harvest credentials. If the third-party tools store your credentials locally, then they’re often stored insecurely and can be sniped by other programs you may also be running.

The secure way of granting tools access to your data is via OAuth. We support OAuth with all of our officially documented API endpoints and a large number of tools have already implemented this. We are continuing work to expand the resources available (such as the trade website) to third-party tool developers.

Edit: if you want to reset your POESESSID, just log out of the website and back in again. Any previous session cookies you gave out before will now be invalid.