Introducing Account Session Protection

Great update, glad to see Roblox making security Improvements.

The List of APIs link directs to a private post.

Session protection should be on by default, you can check by visiting the settings tab in the creator hub.

The whole thing seems confusing in my opinion

Great! Next up on the menu is not letting support disable 2FA on your behalf

Will the login + 2FA submission endpoints be affected? I use it to login via username and password for the meantime due to open cloud being lackluster atm

Glad to see a solid security improvement for what is probably the most common attack vector! However, I am curious how this will affect VPN users - assuming this protection is IP-based, am I going to have to sign back in every time I change my VPN server?

the current cookie system is IP based, this is saying they will lock the account session to the device

Basically, the .ROBLOSECURITY cookie is used to store user sessions, without it you’d be logged out whenever you switched pages or refreshed the page. But prior to these changes, if someone managed to grab your .ROBLOSECURITY cookie, they could log into your account automatically bypassing all and every set of account protections (passwords and 2fa.)

This update will associate that particular cookie with the device your on. This would in theory reduce instances of unauthorized access of users accounts as when the bad actor attempts to use said cookie, it wont work since the device they’re using it on isn’t the same as the one the cookie is associated with.

If there’s something else that you are confused about, I could try and give my interpretation of that as well.

Man, Roblox is doing good lately. Knock on wood, maybe we can get a Devex increase or a tax reduction at some point in the future?

The goal ultimately is to give as much to the developers. But remember that system like DevEx isn’t easy to maintain especially as it scales, so it’ll increase eventually, but when that’ll be depends on a lot of variables.

Don’t want to explain those variables here, as not only is it off topic, but also something I’m somewhat tired of repeating every two seconds.

I’m open to opting out of this feature, but I’m curious if Roblox will continue to invalidate sessions when they originate from different IP addresses. This seems to be the primary obstacle for most automated processes that rely on cookies. Are there any plans to address this issue as well?

Some of these endpoints will be replaced by Open Cloud, though it’s a matter of time before they do. The only thing that I use that still has a cookie on it, is going to be http://groups.roblox.com, which we are waiting until it is in beta with the Open Cloud crew. Everything else is useless to myself (either its supported on open cloud or API keys)

Will you please patch this bug while you’re at it?

Not going to lie this is probaly one of the most coolest security features, and it will definitely prevent most, if not all, account hijacking. Take that, cookie stealers!

crazy good roblox update, good job guys!

nice less account stealing this will be a very good addition

Will this effect ROBLOX API Wrappers like noblox.js and abilities to do things like make changes to groups, purchase items / check if a user has purchased an item, etc?

Yes, that’s the point of this since those wrappers use account cookies. Roblox offers their own official methods now so it’s pointless to keep them around

If users can’t protect themselves, you gotta step up. Good job!

Players don’t need APIs, so this looks like a fantastic addition to have.