How would I use the ROBLOSECURITY cookie to send request?

I’m trying to get the list of owners for a limited item using the Inventory API. The problem is, the “owner” key returns nil if viewed by a guest user. How do I properly pass in a cookie to complete this request?

1 Like

What’s the script you’re using currently that returns nil?

1 Like

I am not sure about this, but you need pass a header called cookie in RequestAsync

local cookie = ""

local response = HttpService:RequestAsync(
{
	Url = "http://roblox.com",
	Method = "GET",
	Headers = {
		["cookie"] = ".ROBLOSECURITY=" ..cookie
	},
})

print(response.Body)
1 Like

It appears sending the ROBLOSECURITY token in the value of the cookie header returns this error.

Header "cookie" has unallowed character "|" in value
1 Like

You can’t make requests to the Roblox domain using HttpService.

4 Likes

This is true, but you can easily bypass this using a proxy such as rproxy.xyz (although I wouldn’t pass a cooke through a public proxy).

Make sure that the .ROBLOSECURITY value you’re trying to send is exact, you also do not need the warning (inbetween and including the _| and |_) in the value.
also make sure the value isn’t being sent as .ROBLOSECURITY=.ROBLOSECURTY=(...)

4 Likes

Do not send your ROBLOSECURITY through a proxying service unless you yourself host it. I wouldn’t trust any free proxying service not to track requests, just as a general security best practice, even though I don’t necessarily think this specific one is malicious.

You do; that’s part of the cookie. The special characters like | need to be properly escaped, though.

4 Likes

To add onto what rogchamp was saying:

rprxy is open source. Even if it’s open source, you can’t really trust that their website is using the open source code or know what’s going on behind the scenes. However because it is open source you can use it to host your own proxy server. I’ve read through the source code and there’s nothing suspicious. Seems like a solid project.

3 Likes

yes, it may still be part of the cookie but Roblox’s webserver still ignores it anyways. I’ve tested this on a browser and application level, still authenticated with and without the warning.

2 Likes

My script is now working as intended after I removed the warning. Thanks for the help. :slight_smile:

1 Like