Erm... Kinda. So you just run everything in a single session and you'll get there. http://pastebin.com/AAQab930 Problem with this is that if request originates not from localhost - microsoft adds additional protection (I guess captcha or smth) and then instead of redirecting you back to bungie it gives you another form so essentially it just doesn't work.

SO I read over your code, took a hiatus and then came back to it today. I have a couple questions if you do not mind? 1. Can you also paste this function into your pastebin? (line 31) get_platform_username(session, member_type) 2. "re" is not defined (line 17) What did you use this for? requests? re.findall(exp_urlpost, response.content.decode())[0] 3. Settings is not defined either (line 22). What is this really referencing? If it is just a way to grab and API key that is easy to deal with. settings.HEADERS["X-API-Key"]

1. http://pastebin.com/eC5i8881 2. [quote]import re[/quote] it's regular expressions 3. yeah, it's the api key bungie give you when you register as developer it's still better not to build this kind of login, i.e. Sony just banned us by IP and we couldn't get XBox working as they have geo protection and they change the form when it doesn't pass the test. I'm developing one that won't require users to input any data at all and will just grab necessary cookies from bungie via browser extension, will share the results once I'm done (or give up).

1) cool 2) I'm a dork... duh. 3) got one... just wanted to make sure there was not more to the headers than that. Sorry they banned you, and f you are geo blocked - that sucks, have you thought about a shell account in the us to use as a socks proxy for the app? For my needs, this [when it's done] only logs in once a day and grabs some private advisor endpoints that are generic for all characters. Currently there is no login and all data is from public endpoints. If you PM me, I can share a bit more as this is clan only with few exceptions.

for XBox it's like if you try to login from country (maybe city or state too) other than the one you usually login from, they add captcha to form or smth and as we're not using API, but just pushing stuff inside requests, there's not much we can do about that - that is, gotta send requests through local proxy, not really sure how to setup that, but sounds like a lot of pain. and Sony guys reached out as too many login requests came from the same IP (that is, our server IP), they thought we're trying to hack them or smth (which is also possible as we didn't build any cooldown yet). that's understandable and switching to a method that would eliminate some hacks was necessary anyway, too much stuff out of control here.