IP Changes Invalidate Cookie

I think this is in purpose, it’s a method to secure te platform and accounts.

14 Likes

I believe this is not the case, as Roblox does not log you out if you log-in from a different IP normally.

This is part of an A/B test of a new security feature. These sorts of things really should be announced prior to being a thing.
(Based on my understanding)

13 Likes

This is normal, in-fact most services invalidate old cookies a few days after it was generated.

Couldn’t you use the auth api to log-in to the account and therefore generate a new cookie everytime.

3 Likes

Seems like not really a good security feature if it logs you out of your account if a hacker gets in?

1 Like

My understanding is that the cookie is locked to an IP address(es), when changes forces a re-login. (With this new feature)

3 Likes

Ah, I thought you were talking about it invalidating all cookies to that account if an external IP accessed the account.

2 Likes

Here’s my take on this:
For security reasons, this is a good change - if executed properly it can completely prevent cookie logging.

I would hope cookies are invalidated if the IP’s general location changes - if it invalidated when your IP changed at all, that would make Roblox more or less unusable on cell networks or on mobile.

The problem is that this change was rolled out before web API developers had alternatives to using cookies for web endpoints. Before rolling out this change, Roblox should have at least alerted web developers through an announcement. Open Cloud lacks all of the APIs that we use with cookie-based authentication.

The least Roblox could do in this transition period would be to add a toggle to disable this security feature.

26 Likes

This is honestly a great feature, I still see a problem with people, who actually need it with vpns.

1 Like

Absolutely; even if this was the case, it would almost certainly kill any cloud based CI testing suite for API wrappers, let alone developers intentionally moving their cookie to a dedicated VPS.

Oh are the hacky workarounds going to be fun to implement…

5 Likes

Um, that’s probably why you should implement a cookie pool whenever the ROBLOX Account Cookie expires? This is what I do. :man_shrugging:

Hence, it’ll grab the new ROBLOX Account Cookie, and use it, repitition.

I’m not sure you realize that every single one of those cookies are invalidated??

3 Likes

From time to time, I still run CI testing for noblox.js either on my laptop or on GitHub Codespaces, neither of which are capable of maintaining a single IP address for long periods of time. This will be a major stepback for API libraries, especially given that there are still no change logs and no proper authentication system to access the majority of endpoints that API wrappers rely on.


@IDoLua I do research with private information for my work, and I'm not allowed to not use a VPN while those files are on my laptop or even check my work email. I absolutely need a VPN to access that stuff, so no, it's not just for people with poor connectivity.
13 Likes

I have XFinity and from what I know, the IP given is static and unless you call, you have it forever. So this didn’t effect me because my stuff all runs in VMs on a server in my house but I see how this is bad for people using services like Linode, Vultr, or Digital Ocean.

A solution to people stealing cookies should be what Discord has for developer applications. It would help a lot. To stop fakes they can make the name of the application the same parameters for usernames so that it isn’t the same.

2 Likes

This change has caused at least four of my data acquisition bots to break for my site Rolimon’s.

I ran a quick test where I did the following:

  1. Logged into an account on a desktop VPS
  2. Copied the login cookie to a bot on a headless VPS
  3. Sent a GET request the economy API from the bot on the VPS

The result was that I got a 401 status code indicating I was denied access, and when I refreshed the Roblox page I had left open on the desktop VPS, I was logged out.

Apparently a simple GET request sent from a different IP address causes the session to be invalidated.

This is an issue for me because my bot systems are headless and I don’t think it’s possible to log into Roblox from them programmatically because they’ll likely need a captcha to be completed, but I won’t be able to in a headless environment.

33 Likes

This is a good change because it prevents people from scamming cookies

1 Like

That explains my pains with my game’s github CI throwing HTTP 400 errors when I try to publish…

Unfortunately the community tooling hasn’t caught up with the cloud API yet, so there’s still a bit of reliance on cookie-based authentication, and this is definitely a detrimental change. Not to mention I believe some tooling CI uses cookie authentication to be able to run studio for testing. (since it requires authentication)

3 Likes

Yeah, but it would be much better if this could be an option for all users.

1 Like

This is a feature that should have been done years ago, it’s about time they did something to actually prevent account theft.

They need to get this rolled out to 100% as soon as possible.

Next thing we need is the ability to require the account pin for sending/accepting trades and making purchases.

3 Likes

It’s already rolled out, and as much as I agree with your statement you also need to understand the side-effects where the users that play VPN/VM will have to login every time. Developers that gather data for their game through Roblox API’s will have trouble with that.

So, this should have been optional.

1 Like