Dr. McKay

Yes, that seems to be correct.

No. That would defeat the purpose of the token.

Yes.

You need to call setCookies on the TradeOfferManager instance, not on the SteamCommunity instance. TradeOfferManager's setCookies also retrieves your account's API key.

You just need to call setCookies each time the webSession event is emitted. You don't need to create a new TradeOfferManager or SteamCommunity.

Use webLogOn() to get a new web session when that happens. It's a good idea to do that at least every hour or so as well.

You could use the IEconService/GetTradeOffer API method to fetch the trade offer details, which would include the user's SteamID. creator_id is the ID of the trade offer.

The sessionid cookie should indeed be universal. You can use whatever value you want.

That means it couldn't find any pending confirmations that map to an object (trade offer, market listing, or other) with that ID.

You'd need to figure out what requests the help site (help.steampowered.com) makes to change your email, and make those requests yourself using cookies obtained from steam-user or steam-session.

Probably not.

You'll be fine if you store this in your database.

That login route is outdated and doesn't work anymore. Logins are handled by steam-session these days.

If there's a request outstanding when you call logOff(), it has to wait for the request to timeout before the Node.js process can exit. There's a bunch of requests that get made internally when you first log on; you're better off waiting a second or so after loggedOn is emitted before calling logOff(). In the future I'll try to add a mechanism to cancel outstanding requests when we log off, but it's not quite as simple as it first sounds.

No, you'd have to register one using the web page at https://steamcommunity.com/dev/apikey or node-steamcommunity's createWebApiKey method. If you're calling methods that aren't account-specific (e.g. GetPlayerBans returns the same data for everyone, nothing is specific to your account) then you could register one API key and use it for everything, but I don't know if that meets your specific needs.

Not really. Some WebAPI methods allow you to use an access token (which is the same as a steamLoginSecure cookie without the SteamID prefix), but not all. GetPlayerBans is not an API method that accepts an access token, so you do need an API key for that.

Yeah, that looks fine. But ordinarily it shouldn't ever be possible for your SteamUser client to disconnect without you being aware of it, since the error event will be emitted.

So you're using steam-user? You can check if the steamID property is set to a non-null value, which will indicate that you're still logged in. But from the sound of things, you're running into expired cookies. Your web session cookies expire from time to time and need to be refreshed using steam-user's webLogOn() method.

It depends on how you're logging into Steam.

I've messed with this in the past and I think the status key is only paid any attention if you're actually authenticated in a game server.

I see. I can't give you an estimate as to when I'll be able to add this, if ever. You may want to maintain your own fork of steam-user or use SteamKit for this.

This isn't supported. Why do you want to connect to a specific CM?

There was a bug in 5.0.7 that made SteamUser automatically reconnect after you call logOff(). I suppose it's possible that this contributed to your issue. You might have a bunch of zombie processes running in your stateless environment. I don't know your environment, but see if there's some way to kill everything.

Thanks for the info, fixed in 5.0.8.