How to get Steam web session cookie programatically

I’m currently trying to make a steam web api (the unofficial one which is partially documented here: wrapper.
Like with every other unofficial api you have to get a sessionID to get access to certain api calls (for example selling items etc)

When actually implementing a login system tho there was nearly no documentation (also because steam just updated their login system with the new mobile app)

I analyzed the http traffic with a tool similar to burp suite. The website uses their own (official) api ( but kinda doesnt use the official methods?

(Instead of passing the params in the url it uses protobuf)

Content-Disposition: form-data; name="input_protobuf_encoded"


If you wanted to make the same request according to documentations (here:

You would have to do something like this


I think the params are the same tho? So yeah as you can see everything is kind of a mess. Anyways I never worked with protobuf so i just went with the documented methods instead of the one the websites uses (they arent really documented tho because no documentation actually tells you how to continue after doing BeginAuthSessionViaCredentials)

For some reason steam makes their users encrypt the password via rsa. Also they give me the key in hex and string binary ("1010101") and want to recieve it in base64? I cant really find the correct way to do it so yeah.

From what i understand you have to do

then you get something like this:


As i said i think the publickey_mod is hexadecimal (quite obvious) and the publickey_exp is binary because the binary -> decimal of 010001 is 17 which is commonly used for rsa because it has few 1s in binary repr (which makes rsa faster). It was actually hexadecimal which is 65537.

I use python rsa module and create the publickey like this in case that is my problem:

public_key = rsa.PublicKey(int(rsa_request["publickey_mod"], 16), int(rsa_request["publickey_exp"], 2))

then i rsa encrypt my password:

encrypted_pass = b64encode(rsa.encrypt(self.__login_data.password.encode("utf-8"), public_key)).decode("utf-8")

According to steam docs you are then supposed to use that encrypted password with

Which I did and i get something like this back

{'client_id': '163REDACTED397', 'request_id': 'mREDACTEDWQ==', 'interval': 5}

which doesnt look like the request failed until you try it again with a wrong password and get the exactly same result.

Here is the helpfull stuff i found: (I believe this is up-to-date but I’ve never used TypeScript and really dont understand the code.)
And also if you need a testing account with 2fa disabled use this one i just made it for testing:

Username: SOLVED
Password: SOLVED

Thanks for reading <3

>Solution :

I suspect the exponent is actually in hex. 65537 is a much more common exponent than 17.

Leave a Reply