Introducing Account Session Protection

Amazing work from the Roblox team!

6 Likes

I’m glad Roblox has been improving account security, great job Roblox team!

6 Likes

it isn’t IP based at all this is why people can sign in from anywhere using your cookie

5 Likes

huge win for Roblox. :fist:

how i’ll be pulling up to the downfall of account beamers:
beamers

8 Likes

This is excellent news! Gone are the numerous phishing attempts and social engineering schemes to steal an innocent user’s session cookie, and subsequently, their entire account.

I am interested to know precisely how you intend to tie said cookie to a user’s device?

I’m super glad that Roblox is cracking down on bad actors in the cyber space and provide players, the majority of which are young, a safer place to explore experiences and socialise with friends.

4 Likes

We cannot yet upload .rbxm or .rbxmx models through open cloud endpoints, either as models or as plugins.

This impacts Rojo heavily as a result because we cannot drop support for cookies without being able to do this.

What are your plans to address this so that we can fully secure our users’ accounts going forward?


Additionally, the .ROBLOSECURITY cookie is a requirement for running Studio. It already cannot be run in CI/CD as a result due to the IP being so uncontrolled in most automated runners (such as GitHub Actions), and this will make the problem worse. Is there a future where we get some way to run Studio properly in a CI/CD environment?

34 Likes

Great addition for security, but I am currently relying on cookies to rank people in my group. Are there any alternatives currently?

5 Likes

And here we go, another useless update for Account to try to prevent account takeover without success, because account are still being stolen so easy

Without going to fix the damage you have done on the logins for the bot accounts (Ranking Services) without even offering a solution

:man_facepalming: Totaly a disaster after another

4 Likes

Finally! I dont have to fear getting cookie logged as much!!! Massive W!

4 Likes

You can opt out of it, cant you??

2 Likes

This is a great update.

Funny enough I was thinking on ways ROBLOX could prevent cookie theft few days ago and now this news comes out.

3 Likes

This is an insane update and finally some sort of new method to counter cookie theft.

2 Likes

This is a massive win for Roblox. Well done to the engineers who worked on this!!
Hopefully the attackers don’t find an easy way around this though

2 Likes

Roblox beamers are pissed because they can’t beam someone like people don’t click links after Zeppelin wars pilots pulling up worst maneuvers to get the account :speaking_head:

1 Like

This is fixed now. The list of API is in section “Detailed list of impacted APIs and rollout timeline”

4 Likes

I agree with a compensation to people who had their items stolen,

I was compromised out of items worth up to 1.3m value in robux back in March 2023 due to the account session protection not existing at the time.

My issue was mentioned in this post [CLOSED] Terminated or Compromised Accounts: Compiling a List to Deliver at RDC, it was delivered to RDC however it was cancelled due to unforeseen circumstances that had occurred there so I doubt they had seen the list entirely.

I would appreciate it if anyone could help me resolve this issue as Roblox Support has failed to provide my stolen items back.

1 Like

What about APIs like data.roblox.com and the develop APIs? I use these to upload and edit models as well as editing asset permissions. Will authentication for these APIs stay the same?

1 Like

Overall I am really happy about this, glad to see something is finally being done about the cookie logging issue.

One major thing that I don’t see people mentioning is why is turning off Account Session Protection irreversible? There might be some cases where I want to disable it for a time period but it seems harsh that it can never be reenabled for the rest of the lifetime of the account. Is this a technical issue, or what is going on here?

11 Likes

Thank you for your hard work and making this happen. This will help a lot of people stay safer. I’m hoping to also see some additional security measures taken to combat another common “hacker tactic” - phishing.

Perhaps doing something similar, like recognizing if a brand new device is trying to log in (and especially if it logs in from an entirely different country/VPN) would help a bit.

Your work is much appreciated!

2 Likes

While this is a big W in general, it looks like this will affect the RoPro plugin. For any that don’t already know, RoPro has 2,000,000 + installs, 360,000 + group members, and is subscription based ($ or gamepasses but also a free version)

I’m sure they’ll update to OAUTH2 if possible, but if that isn’t enough I can see a lot of users opting out. I myself wouldn’t because security is more important to me. So Roblox please work with RoPro to make the proper APIs work, and RoPro please don’t ask me to opt out

3 Likes