Introducing Account Session Protection

This is a great update.

Funny enough I was thinking on ways ROBLOX could prevent cookie theft few days ago and now this news comes out.

This is an insane update and finally some sort of new method to counter cookie theft.

This is a massive win for Roblox. Well done to the engineers who worked on this!!
Hopefully the attackers don’t find an easy way around this though

Roblox beamers are pissed because they can’t beam someone like people don’t click links after Zeppelin wars pilots pulling up worst maneuvers to get the account

This is fixed now. The list of API is in section “Detailed list of impacted APIs and rollout timeline”

I agree with a compensation to people who had their items stolen,

I was compromised out of items worth up to 1.3m value in robux back in March 2023 due to the account session protection not existing at the time.

My issue was mentioned in this post [CLOSED] Terminated or Compromised Accounts: Compiling a List to Deliver at RDC, it was delivered to RDC however it was cancelled due to unforeseen circumstances that had occurred there so I doubt they had seen the list entirely.

I would appreciate it if anyone could help me resolve this issue as Roblox Support has failed to provide my stolen items back.

What about APIs like data.roblox.com and the develop APIs? I use these to upload and edit models as well as editing asset permissions. Will authentication for these APIs stay the same?

Overall I am really happy about this, glad to see something is finally being done about the cookie logging issue.

One major thing that I don’t see people mentioning is why is turning off Account Session Protection irreversible? There might be some cases where I want to disable it for a time period but it seems harsh that it can never be reenabled for the rest of the lifetime of the account. Is this a technical issue, or what is going on here?

Thank you for your hard work and making this happen. This will help a lot of people stay safer. I’m hoping to also see some additional security measures taken to combat another common “hacker tactic” - phishing.

Perhaps doing something similar, like recognizing if a brand new device is trying to log in (and especially if it logs in from an entirely different country/VPN) would help a bit.

Your work is much appreciated!

While this is a big W in general, it looks like this will affect the RoPro plugin. For any that don’t already know, RoPro has 2,000,000 + installs, 360,000 + group members, and is subscription based ($ or gamepasses but also a free version)

I’m sure they’ll update to OAUTH2 if possible, but if that isn’t enough I can see a lot of users opting out. I myself wouldn’t because security is more important to me. So Roblox please work with RoPro to make the proper APIs work, and RoPro please don’t ask me to opt out

Didnt Expect this update, Roblox is getting better, First Killing exploiting, and now account theft? I LOVE THE TEAM BEHIND THIS PLATFORM!

You claim to be a “Web Developer” but have no idea what you are even talking about. Taking 2 minutes to read the post would probably be better than defaulting to “Roblox disaster”.

I hope this doesn’t affect asset uploading in the future, either directly through endpoints or through Tarmac. The ‘open cloud’ endpoints have been lacking for this use case; you still cannot upload rbxms to models, whitelist audios/videos, etc.

That’s great for account security, amazing work for roblox team!

This is probably the biggest and most useful account security update I’ve seen added to the platform. To the people who are working towards this getting fully rolled out, thank you so much. I’ve been in constant fear of losing my account due to clicking on sites for the longest time, and once this is out I’ll finally be able to have confidence in Roblox security enough to stop checking every link I see for typos like “roblicks” and etc. Really looking forward to it.

If this works and cannot be spoofed, then that’s incredible. I’ll feel much more at ease.

I appreciate this enhancement to account security and further appreciate the ability to opt out for those of us who need access to unsupported APIs. However, all my existing cookies have been wiped upon opting out requiring me to go back and update them in my scripts. Hopefully this could be changed for those who need to opt out in the future.

A HUGE roblox security update! Thank you! Just a few notes: Browser extensions run on client devices.

Maybe roblox doesn’t want browser extensions to do so, but this update won’t affect the ability for extensions to do so.

Edit: I mentioned something about Roblox restricting the ability for bots (that follow TOS), but I saw the ability to opt out, which is amazing. Just make sure to make it clear to users to not disable that unless they know what they’re doing.

Thanks for your question!, This will not affect VPN users since Account Session Protection is not based on IP

I doubt roblox would compensate them their ROBUX back