[iancarroll]

I believe the flow in the diagram is what Steam calls Session Tickets and is a bit more nuanced. The game client requests session tickets from Steam's server, then it provides the game server with a ticket proving they are a given Steam ID. The game server then has to go online to Steam's web API and verify it to ensure it has not been used multiple times or tampered with. It sounds like the CS2 client is not handling a delayed response for obtaining a session ticket.

The flow is detailed here[0]. The flow the article diagram suggests would be a bit concerning since an attacker could race a victim Steam ID to join a server, etc.

[0] https://partner.steamgames.com/doc/features/auth#3

[iforgotpassword]

Yes, it's most likely a session ticket which is not clearly expressed in the article, but the issue seems to be that the game sometimes gets interrupted before it will actually create a session ticket (or rather while waiting for the response from the slow steam servers), and then join the gameserver without having one.

[freudenjmp]

Thank you very much. Indeed this is the technically correct flow, which was not so important for the explanation of the issue. I understand I should have mentioned it though to make it more clear. Much appreciated!