After a bit of testing I found out that the cookie only gets invalidated whenever your IP originates from another continent regardless of the A/B testing in that specific region.
Roblox probably increased the IP-region threshold instead of doing a rollback.
I know I’m late on this subject, but I do believe that this feature is ruining API for the Roleplay section of Roblox, and especially other games which require automation through cookie authentication.
Thing such as; Rank Management, Quiz Center’s, Automated Trainings, and much more require a sufficient bot to rank the user throughout the group. This allows for a scaleable expansion of a game, so staff members are not tirelessly ranking users who fill out a low-rank staff application, or fulfill a task in the game.
Honestly, I understand that this feature was implemented to provide a more-safe experience throughout the platform, and in no way do I want to deny that to the multitude of users within the meta verse, so my personal opinion & solution for this subject would to create an option to disable/enable this feature. As in, for every concurrent account, and for every account made in the future, the feature is turned on automatically, but the users have a chance to turn it off. Something similar to this would be like the 2 step verification, It’s offered on every account, but not every account has it. Same with the Parental Pin, and other things of the sort.
Adding an option to disable/enable this feature would allow automations to continue running on the Roblox platform with ease, while keeping the gameplay aspect of Roblox safe. Obviously there are probably other solutions to this as well, such as the ones mentioned in this post before, but this is just my opinion on the subject, since I do see the use for the new feature added, and do love the fact that Roblox is trying to help keep the community safe…
Anyway, I hope this is resolved soon, and we can resume operations ASAP!
This change effectively broke auto-uploading of models from GitHub and other, legitimate, bot-type use-cases. Meanwhile, they’ve offered NO alternative in the form of the Cloud API stuff meaning the auto-upload actions I have for my GitHub projects are effectively no longer usable and I currently have no way around it.
I really don’t understand the point of having the Cloud API stuff if the only thing it can do is publish places. What normal person or group is editing and publishing their place outside of studio/on GitHub to where such a niche use-case gets a whole API thing for it, yet we don’t get the same for models and other assets? I can understand the whole cookie invalidation thing since it helps prevent cookie stealing n stuff, but at least give options to those of us who need to use it for things like auto publishing non-places or whatever other things this update broke. Cloud API only supporting places is basically worthless for the majority of use cases I can think of.
Between this and the audio changes I’m just so aggravated with Roblox right now.
ALSO: This means basically anyone connected to Roblox from a mobile device connected to a mobile network is going to have their session cookie invalidated EVERY SINGLE TIME YOU CONNECT TO A DIFFERENT CELL TOWER since the IP will undoubtedly change. This also, as OP observed, invalidates it just for connecting to a VPN. This is all unbelievably irritating.
Either give us a way to disable this on a per-account basis (you can leave it enabled by default to protect users) or give us alternative API routes to things this breaks (tbh I’d personally prefer the former as I really don’t want to log in again just because I happened to switch to a different cell tower, VPN, or access point.)
From my testing, the cookie will only invalidate if you change continent. I’ve tested it from a UK region, went to another Europe country and it worked fine. If I moved to US, it would invalidate.
The new “IP-lock” update is not actually restricting your cookie to one IP. Its only restricting it to one continent . No fancy bypass needed, just use proxies and a VPS located in your continent or country and your set.
I’m assuming that the continent-lock is temporary and probably will be changed soon. I wouldn’t trust moving your VPS to another continent at the moment. Roblox is probably experimenting with the IP-allowance threshold seeing all these changes with cookies the past few days.
I’m slightly late to this thread, but this update is terrible for developers. Any sort of application that requires cookie authentication will break or be unable to be updated.
Discord bots, group automation, literally everything. It would make sense for Roblox to speak to developers on something like this before rolling it out, or at least make us aware of it.
-Bots and automation site-wide for genuine dev use cases have been destroyed
-Account theft has not only not been stopped but has INCREASED due to impersonator scammers on Discord taking advantage of all the chaos.
-Absolutely zero announcements or clarification from ROBLOX about what’s happening or what will be implemented to allow developers to do something in the meantime before Open Cloud becomes actually useful.
Completely puzzling, genuinely one of the worst ROBLOX updates in a long time, and dudes at the HQ are wondering why the stock is down 70% with decisions like this.
From someone who has worked with Roblox in the past:
You can’t expect something to completely stop an action. Bad actors will try to go with different routes. That’s why “good job, you fixed XYZ” jokes exist.
Also, if you give up your personal log in credentials to someone who claims to be popular or in exchange for goods, it’s just Darwinism at this point.
That’s what happens during A/B testing. If anything, we will get a response after they’re done gathering data.
It’s a hack sure but what else are developers supposed to use, like previous responders in this thread have mentioned it’s incredibly limited atm and incredibly selective to have your opinions/suggestions about that kinda stuff heard by ROBLOX. As per usual there’s such a disconnect between the platform and its developers.
If you need any specific features just reply to that thread with your asks. (guessing you need group management API or so?)
The issue is that in this instance, the change is actually highly beneficial for 95% of users (regular users who are often the target of cookie theft). It’s worth making this change for that reason. I’m certain you’ll figure out how to work around this constraint in the mean-time. For example you could rent a cloud machine with a fixed IP to get around the issue.
Most of the features that would be most commonly used are either unreleased or in “planning” which in ROBLOX terms could mean anything. There is zero reason to not have made this change optional it would take seconds of effort and if the attacker were able to get into someones account to make the change then they wouldn’t have needed it anyway because they’re ALREADY in the account.
The issue is that in this instance, the change is actually highly beneficial for 95% of users (regular users who are often the target of cookie theft)
This won’t change a thing, still see cookies being logged by people who have circumvented the system or a shift to just people stealing account credentials/emails which is soooo much better. This was a reactionary update to the bad PR regarding ROBLOX outsourced support helping bad actors get account information behind the scenes to cover their you-know-whats and it’s obvious.
Back to reality: recommend just setting up a few feature requests for the endpoints you need to reach via ApiKey. It’s not worth your time to waste energy on “big bad corp” stories, let’s be constructive.
To be entirely clear: I’m talking about the tinfoil-hattery that for some reason this change would be related to that. It’s “big bad corp” talk that isn’t based on anything.
Can assure you this change was made for security reasons, not to counter bad press lol.
For those of you looking for a “free” option, Google Cloud includes a e2.micro VM in its Always Free Tier along with one static IP. However, you have to select HDD as its persistent disk.
Link to the relevant Free Tier section: Google Cloud Free Program
A word of caution, this is what is available (not my recommendation). Google can change its free tier at will, so might wanna be careful. Unfortunately, you will need a credit card for the purpose of verification.