Introducing Account Session Protection

I would presume this was in reference to the current hacky way to do this, thru run-in-roblox. A provided headless engine, to run tests and build games, would be the much more ideal solution.

The most recent feature request for this seems to be auto-locked:

5 Likes

I’d recommend writing your requests as needs “I want to do this” rather than “implement this feature”, it makes it easier for us to digest and prioritize rather than a post about a specific proposed solution. It seems like the need here is “I want to add validation that runs before I commit/publish” or “I can’t safely add new code on my live project” or something along those lines. What is linked is just one way to solve that need but it might not be the only or best solution.

9 Likes

I use Tarmac for uploading images, is this affected by the new update?

3 Likes

Hi, thanks for responding! I was under the belief that there was an open thread for this (I find it hard to believe that nobody made one, considering how long this has been an issue) but I can’t find one. Would it be helpful if I made one on the off chance that one does not exist?

That’s correct, except that there are existing solutions to authenticate Studio in a CI environment. They require a VPN or self-hosted runner, but they do work. roblox-ts as an example was using a VPN to run tests until really recently (two weeks ago). My concern is that these changes will make processes like that even harder than they already are.

I accepted a long time ago we’d probably never get headless Studio, especially not one that works in CI/CD. This was during the “Roblox seems actively adversarial to Rojo” part of history though, and I realize times have changed. If the stance on e.g. roblox-cli has changed, I’d be willing to revisit requesting a headless Studio version. Directly discussing it is outside of the scope of this thread, of course, but I wanted to mention the CI/CD use case here because cookie changes directly impact people using Studio for testing.

10 Likes

I’m aware of the past discussions around this and I would just encourage you (as above) to really try and home in on what are the underlying problems you want solving. We’re obviously not just creating new features for the sake of the features themselves. Try to describe what exactly you want us to help simplify and you can mention the roblox-cli take as a footnote as one potential solution. Initial impression from my side is that this kind of tooling seems useful but also very technical to set up and might not benefit a large portion of creators vs. something we could set up inside the engine for validation and testing (not saying either solution is better or worse, just saying there are interesting trade-offs to think through once we actually focus on the need).

It would be good to have if not just for tracking purposes. Please link to me here / in DMs after posting and I’ll attach it to some internal discussions.

I’ll forward that concern specifically, thanks.

12 Likes

it is country based. logging into the cookie from another country will invalidate it

5 Likes

Pretty cool!
kinda good seeing that roblox is adding more security features.

5 Likes

Here’s a feature request for it: Add an Open Cloud endpoint for uploading Roblox Models and Plugins

I fully understand that concern, and I agree. It would be a very technical to set up in nature, especially since a lot of people don’t touch terminals at all these days. However, I’m not sure what alternatives look like. There’s a set of underlying problems, but it’s hard to find a good middle ground where the needs of everyone are covered appropriately. I’ll make a feature request related to it soon™, but it will be hard to strip away a specific solution here since it’s the obvious one that I know would work. An in-engine solution, as an example, does not work for Rojo because a lot of what we need does not exist in the engine and in my opinion it’d be a bad idea to add some of it.

7 Likes

@Hooksmith @jack_robloxman

In the past, users who had been compromised and after that sought a rollback for their stolen assets were denied for not having specific account security enabled. For example, the correspondent in the screenshot below was denied a rollback due to 2-step via an authenticator not being enabled on their account.

My question is simple: Will the Account Restoration Team use the Account Session Protection as new argumentation to deny a rollback?

I have seen a plethora of Account Restoration Specialists use account security features as the go-to reason to deny a rollback. Even worse, you mention the following:

The opt-out ability reminds me of Support Agents denying rollback because 2SV via authenticator being not enabled. I can’t prove this will be the new policy of the Support Team going forward, but looking at their past behaviour. I wouldn’t put it past them to deny rollbacks due to certain account security features not being enabled.

As a user who has been compromised in the past and had great trouble fetching my assets back. This concerns me.

5 Likes

Re-linking from above in case you missed it:
https://en.help.roblox.com/hc/en-us/articles/18765146769812-Account-Session-Protection

Warning: If you turn off Account Session Protection, you are leaving your account vulnerable to security threats. If your account is compromised as a result of turning off Account Session Protection, Roblox will not be able to assist you. This change is irreversible.

We do not recommend opting out. Especially not if you have valuable items in your account. Opting out is not required whatsoever so this shouldn’t be an issue for you.

This opt-out feature is intended to help certain automation use cases that do not yet live on Open Cloud, which in a lot of cases doesn’t need to happen from high value accounts.

9 Likes

Opt out does not disabled account cookie regeneration.

4 Likes

They saw the list, but I don’t know if they read through it. The Innovation Awards being cancelled was a completely separate matter that I wasn’t really there for.

3 Likes

Nice To See Roblox Actually Fight Phishing, The Anti Exploit Prevention Article, And Now This, The Platform Is Changing, Into The Good Direction

5 Likes

no way roblox is releasing a good update :exploding_head:

6 Likes

This is an amazing security update Thank you roblox now there won’t be any hackers as before!

6 Likes

This was a great update for protecting accounts against malicious webpages and files however it’s a little confusing on if all endpoints will require this token even if the user has it disabled? Would love to learn more about the future of this.

4 Likes

A good Roblox update for once?
This is great news! No more account hacking, or “beaming”!
Massive W Roblox.

11 Likes

Wasn’t this already a thing since last year iirc. My group ranking bot broke due to the cookie being invalidated when being accessed via a different IP as I was hosting it via glitch. Since then I had to scrap the system and revert to manual methods.

2 Likes

For any questions like this I recommend referring to our terms as most staff members are not legally qualified to answer questions of this nature. Thanks!

5 Likes

Stupid question, but if I get a new device, I just can’t log in anymore?

Great question. Users’ login on a new device won’t be affected. You can still log in or sign up normally with Account Session Protection.

3 Likes