Reproduction Steps

1. Login to a Roblox account
2. Turn on a VPN / use the cookie on a different IP
3. Refresh the page

Device Info

• User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
• Platform Type: PC
• Device Type: Computer

Expected Behavior
I expect the cookie to be valid, even if my IP changes. I should not be logged out just because I turned on a VPN. My cookie should also not randomly expire 2 years later.

Actual Behavior
I am logged out when I use a cookie on a different IP/VPN. I am unable to use Roblox accounts for automation on a VPS and the cookie randomly expired 2 years later.

Issue Area: Roblox Website
Page URL: Roblox
Impact: High
Frequency: Constantly
Date First Experienced: 2022-03-08 12:03:00 (-07:00)

As much as I agree that this shouldn’t be a thing, I can see this being Roblox’s response to people stupidly sending their cookies to other people and getting their accounts compromised.

Roblox should at least have made Open Cloud endpoints for frequently used APIs before making such a drastic change. Not only is this change detrimental to automation, it also just makes it a pain to use a VPN normally.

can’t you just open the VPN then log in? But still this should be fixed.

If it was intentional, I don’t see why alert the people maliciously using this method to get into people’s accounts without the holder’s consent and give them time to make up another method.

I think this is in purpose, it’s a method to secure te platform and accounts.

I believe this is not the case, as Roblox does not log you out if you log-in from a different IP normally.

This is part of an A/B test of a new security feature. These sorts of things really should be announced prior to being a thing.
(Based on my understanding)

This is normal, in-fact most services invalidate old cookies a few days after it was generated.

Couldn’t you use the auth api to log-in to the account and therefore generate a new cookie everytime.

Seems like not really a good security feature if it logs you out of your account if a hacker gets in?

My understanding is that the cookie is locked to an IP address(es), when changes forces a re-login. (With this new feature)

Ah, I thought you were talking about it invalidating all cookies to that account if an external IP accessed the account.

Here’s my take on this:
For security reasons, this is a good change - if executed properly it can completely prevent cookie logging.

I would hope cookies are invalidated if the IP’s general location changes - if it invalidated when your IP changed at all, that would make Roblox more or less unusable on cell networks or on mobile.

The problem is that this change was rolled out before web API developers had alternatives to using cookies for web endpoints. Before rolling out this change, Roblox should have at least alerted web developers through an announcement. Open Cloud lacks all of the APIs that we use with cookie-based authentication.

The least Roblox could do in this transition period would be to add a toggle to disable this security feature.

This is honestly a great feature, I still see a problem with people, who actually need it with vpns.

Absolutely; even if this was the case, it would almost certainly kill any cloud based CI testing suite for API wrappers, let alone developers intentionally moving their cookie to a dedicated VPS.

Oh are the hacky workarounds going to be fun to implement…

Um, that’s probably why you should implement a cookie pool whenever the ROBLOX Account Cookie expires? This is what I do.

Hence, it’ll grab the new ROBLOX Account Cookie, and use it, repitition.

I’m not sure you realize that every single one of those cookies are invalidated??

From time to time, I still run CI testing for noblox.js either on my laptop or on GitHub Codespaces, neither of which are capable of maintaining a single IP address for long periods of time. This will be a major stepback for API libraries, especially given that there are still no change logs and no proper authentication system to access the majority of endpoints that API wrappers rely on.

I have XFinity and from what I know, the IP given is static and unless you call, you have it forever. So this didn’t effect me because my stuff all runs in VMs on a server in my house but I see how this is bad for people using services like Linode, Vultr, or Digital Ocean.

A solution to people stealing cookies should be what Discord has for developer applications. It would help a lot. To stop fakes they can make the name of the application the same parameters for usernames so that it isn’t the same.

This change has caused at least four of my data acquisition bots to break for my site Rolimon’s.

I ran a quick test where I did the following:

1. Logged into an account on a desktop VPS
2. Copied the login cookie to a bot on a headless VPS
3. Sent a GET request the economy API from the bot on the VPS

The result was that I got a 401 status code indicating I was denied access, and when I refreshed the Roblox page I had left open on the desktop VPS, I was logged out.

Apparently a simple GET request sent from a different IP address causes the session to be invalidated.

This is an issue for me because my bot systems are headless and I don’t think it’s possible to log into Roblox from them programmatically because they’ll likely need a captcha to be completed, but I won’t be able to in a headless environment.