Introducing Account Session Protection

I use Tarmac for uploading images, is this affected by the new update?

Hi, thanks for responding! I was under the belief that there was an open thread for this (I find it hard to believe that nobody made one, considering how long this has been an issue) but I can’t find one. Would it be helpful if I made one on the off chance that one does not exist?

That’s correct, except that there are existing solutions to authenticate Studio in a CI environment. They require a VPN or self-hosted runner, but they do work. roblox-ts as an example was using a VPN to run tests until really recently (two weeks ago). My concern is that these changes will make processes like that even harder than they already are.

I accepted a long time ago we’d probably never get headless Studio, especially not one that works in CI/CD. This was during the “Roblox seems actively adversarial to Rojo” part of history though, and I realize times have changed. If the stance on e.g. roblox-cli has changed, I’d be willing to revisit requesting a headless Studio version. Directly discussing it is outside of the scope of this thread, of course, but I wanted to mention the CI/CD use case here because cookie changes directly impact people using Studio for testing.

I’m aware of the past discussions around this and I would just encourage you (as above) to really try and home in on what are the underlying problems you want solving. We’re obviously not just creating new features for the sake of the features themselves. Try to describe what exactly you want us to help simplify and you can mention the roblox-cli take as a footnote as one potential solution. Initial impression from my side is that this kind of tooling seems useful but also very technical to set up and might not benefit a large portion of creators vs. something we could set up inside the engine for validation and testing (not saying either solution is better or worse, just saying there are interesting trade-offs to think through once we actually focus on the need).

It would be good to have if not just for tracking purposes. Please link to me here / in DMs after posting and I’ll attach it to some internal discussions.

I’ll forward that concern specifically, thanks.

it is country based. logging into the cookie from another country will invalidate it

Pretty cool!
kinda good seeing that roblox is adding more security features.

Here’s a feature request for it: Add an Open Cloud endpoint for uploading Roblox Models and Plugins

I fully understand that concern, and I agree. It would be a very technical to set up in nature, especially since a lot of people don’t touch terminals at all these days. However, I’m not sure what alternatives look like. There’s a set of underlying problems, but it’s hard to find a good middle ground where the needs of everyone are covered appropriately. I’ll make a feature request related to it soon™, but it will be hard to strip away a specific solution here since it’s the obvious one that I know would work. An in-engine solution, as an example, does not work for Rojo because a lot of what we need does not exist in the engine and in my opinion it’d be a bad idea to add some of it.

@Hooksmith @jack_robloxman

In the past, users who had been compromised and after that sought a rollback for their stolen assets were denied for not having specific account security enabled. For example, the correspondent in the screenshot below was denied a rollback due to 2-step via an authenticator not being enabled on their account.

image636×685 43.3 KB

My question is simple: Will the Account Restoration Team use the Account Session Protection as new argumentation to deny a rollback?

I have seen a plethora of Account Restoration Specialists use account security features as the go-to reason to deny a rollback. Even worse, you mention the following:

The opt-out ability reminds me of Support Agents denying rollback because 2SV via authenticator being not enabled. I can’t prove this will be the new policy of the Support Team going forward, but looking at their past behaviour. I wouldn’t put it past them to deny rollbacks due to certain account security features not being enabled.

As a user who has been compromised in the past and had great trouble fetching my assets back. This concerns me.

Re-linking from above in case you missed it:
https://en.help.roblox.com/hc/en-us/articles/18765146769812-Account-Session-Protection

Warning: If you turn off Account Session Protection, you are leaving your account vulnerable to security threats. If your account is compromised as a result of turning off Account Session Protection, Roblox will not be able to assist you. This change is irreversible.

We do not recommend opting out. Especially not if you have valuable items in your account. Opting out is not required whatsoever so this shouldn’t be an issue for you.

This opt-out feature is intended to help certain automation use cases that do not yet live on Open Cloud, which in a lot of cases doesn’t need to happen from high value accounts.

Opt out does not disabled account cookie regeneration.

They saw the list, but I don’t know if they read through it. The Innovation Awards being cancelled was a completely separate matter that I wasn’t really there for.

Nice To See Roblox Actually Fight Phishing, The Anti Exploit Prevention Article, And Now This, The Platform Is Changing, Into The Good Direction

no way roblox is releasing a good update

This is an amazing security update Thank you roblox now there won’t be any hackers as before!

This was a great update for protecting accounts against malicious webpages and files however it’s a little confusing on if all endpoints will require this token even if the user has it disabled? Would love to learn more about the future of this.

A good Roblox update for once?
This is great news! No more account hacking, or “beaming”!
Massive W Roblox.

Wasn’t this already a thing since last year iirc. My group ranking bot broke due to the cookie being invalidated when being accessed via a different IP as I was hosting it via glitch. Since then I had to scrap the system and revert to manual methods.

For any questions like this I recommend referring to our terms as most staff members are not legally qualified to answer questions of this nature. Thanks!

Stupid question, but if I get a new device, I just can’t log in anymore?

Great question. Users’ login on a new device won’t be affected. You can still log in or sign up normally with Account Session Protection.

Will endpoints that require no authentication/cookies stay public?

Thanks and yes, endpoints that require no authentication will continue to stay public for the time being. We will make an announcement if any of the endpoints get deprecated in the future.

So, are there plans on outright removing these endpoints or just adding session protection? It seems very unclear on what the plans truly are here and I am concerned that browser extensions may continue to use the “session locked” token in order to retain the ability to use these endpoints on my behalf even after this date

Thank you for the feedback! We will coordinate with Open Cloud for the enforcement of Account Session Protection to avoid disruption to creators’ user cases.