Basically, the .ROBLOSECURITY cookie is used to store user sessions, without it you’d be logged out whenever you switched pages or refreshed the page. But prior to these changes, if someone managed to grab your .ROBLOSECURITY cookie, they could log into your account automatically bypassing all and every set of account protections (passwords and 2fa.)
This update will associate that particular cookie with the device your on. This would in theory reduce instances of unauthorized access of users accounts as when the bad actor attempts to use said cookie, it wont work since the device they’re using it on isn’t the same as the one the cookie is associated with.
If there’s something else that you are confused about, I could try and give my interpretation of that as well.
The goal ultimately is to give as much to the developers. But remember that system like DevEx isn’t easy to maintain especially as it scales, so it’ll increase eventually, but when that’ll be depends on a lot of variables.
Don’t want to explain those variables here, as not only is it off topic, but also something I’m somewhat tired of repeating every two seconds.
I’m open to opting out of this feature, but I’m curious if Roblox will continue to invalidate sessions when they originate from different IP addresses. This seems to be the primary obstacle for most automated processes that rely on cookies. Are there any plans to address this issue as well?
Some of these endpoints will be replaced by Open Cloud, though it’s a matter of time before they do. The only thing that I use that still has a cookie on it, is going to be http://groups.roblox.com, which we are waiting until it is in beta with the Open Cloud crew. Everything else is useless to myself (either its supported on open cloud or API keys)
Not going to lie this is probaly one of the most coolest security features, and it will definitely prevent most, if not all, account hijacking. Take that, cookie stealers!
Will this effect ROBLOX API Wrappers like noblox.js and abilities to do things like make changes to groups, purchase items / check if a user has purchased an item, etc?
Yes, that’s the point of this since those wrappers use account cookies. Roblox offers their own official methods now so it’s pointless to keep them around
This is excellent news! Gone are the numerous phishing attempts and social engineering schemes to steal an innocent user’s session cookie, and subsequently, their entire account.
I am interested to know precisely how you intend to tie said cookie to a user’s device?
I’m super glad that Roblox is cracking down on bad actors in the cyber space and provide players, the majority of which are young, a safer place to explore experiences and socialise with friends.
We cannot yet upload .rbxm or .rbxmx models through open cloud endpoints, either as models or as plugins.
This impacts Rojo heavily as a result because we cannot drop support for cookies without being able to do this.
What are your plans to address this so that we can fully secure our users’ accounts going forward?
Additionally, the .ROBLOSECURITY cookie is a requirement for running Studio. It already cannot be run in CI/CD as a result due to the IP being so uncontrolled in most automated runners (such as GitHub Actions), and this will make the problem worse. Is there a future where we get some way to run Studio properly in a CI/CD environment?