I am in the UK, but I specifically select my server to be located in Ohio.
This still poses issues for me.
I am in the UK, but I specifically select my server to be located in Ohio.
This still poses issues for me.
This change effectively broke auto-uploading of models from GitHub and other, legitimate, bot-type use-cases. Meanwhile, they’ve offered NO alternative in the form of the Cloud API stuff meaning the auto-upload actions I have for my GitHub projects are effectively no longer usable and I currently have no way around it.
I really don’t understand the point of having the Cloud API stuff if the only thing it can do is publish places. What normal person or group is editing and publishing their place outside of studio/on GitHub to where such a niche use-case gets a whole API thing for it, yet we don’t get the same for models and other assets? I can understand the whole cookie invalidation thing since it helps prevent cookie stealing n stuff, but at least give options to those of us who need to use it for things like auto publishing non-places or whatever other things this update broke. Cloud API only supporting places is basically worthless for the majority of use cases I can think of.
Between this and the audio changes I’m just so aggravated with Roblox right now.
ALSO: This means basically anyone connected to Roblox from a mobile device connected to a mobile network is going to have their session cookie invalidated EVERY SINGLE TIME YOU CONNECT TO A DIFFERENT CELL TOWER since the IP will undoubtedly change. This also, as OP observed, invalidates it just for connecting to a VPN. This is all unbelievably irritating.
Either give us a way to disable this on a per-account basis (you can leave it enabled by default to protect users) or give us alternative API routes to things this breaks (tbh I’d personally prefer the former as I really don’t want to log in again just because I happened to switch to a different cell tower, VPN, or access point.)
… >:(
From my testing, the cookie will only invalidate if you change continent. I’ve tested it from a UK region, went to another Europe country and it worked fine. If I moved to US, it would invalidate.
Forwarding this information from servers I’m in.
The new “IP-lock” update is not actually restricting your cookie to one IP. Its only restricting it to one continent . No fancy bypass needed, just use proxies and a VPS located in your continent or country and your set.
I’m assuming that the continent-lock is temporary and probably will be changed soon. I wouldn’t trust moving your VPS to another continent at the moment. Roblox is probably experimenting with the IP-allowance threshold seeing all these changes with cookies the past few days.
I am not experiencing this bug, but I think this is actually a feature.
Here is a post I made regarding this:
Hopefully someone saw my post or a post similar to it and implemented it.
I think (just like many others) that this update is a very good thing security wise, since it protects users from getting cookie logged like you did.
The issue I have with this is that it’s implemented in a way that we, developers, are left with no real alternative/solution for our bots.
I’m slightly late to this thread, but this update is terrible for developers. Any sort of application that requires cookie authentication will break or be unable to be updated.
Discord bots, group automation, literally everything. It would make sense for Roblox to speak to developers on something like this before rolling it out, or at least make us aware of it.
No response or explanation from ROBLOX, meanwhile
-Bots and automation site-wide for genuine dev use cases have been destroyed
-Account theft has not only not been stopped but has INCREASED due to impersonator scammers on Discord taking advantage of all the chaos.
-Absolutely zero announcements or clarification from ROBLOX about what’s happening or what will be implemented to allow developers to do something in the meantime before Open Cloud becomes actually useful.
Completely puzzling, genuinely one of the worst ROBLOX updates in a long time, and dudes at the HQ are wondering why the stock is down 70% with decisions like this.
From someone who has worked with Roblox in the past:
You can’t expect something to completely stop an action. Bad actors will try to go with different routes. That’s why “good job, you fixed XYZ” jokes exist.
Also, if you give up your personal log in credentials to someone who claims to be popular or in exchange for goods, it’s just Darwinism at this point.
That’s what happens during A/B testing. If anything, we will get a response after they’re done gathering data.
It’s a hack sure but what else are developers supposed to use, like previous responders in this thread have mentioned it’s incredibly limited atm and incredibly selective to have your opinions/suggestions about that kinda stuff heard by ROBLOX. As per usual there’s such a disconnect between the platform and its developers.
You can use open cloud:
If you need any specific features just reply to that thread with your asks. (guessing you need group management API or so?)
The issue is that in this instance, the change is actually highly beneficial for 95% of users (regular users who are often the target of cookie theft). It’s worth making this change for that reason. I’m certain you’ll figure out how to work around this constraint in the mean-time. For example you could rent a cloud machine with a fixed IP to get around the issue.
You can use open cloud
Most of the features that would be most commonly used are either unreleased or in “planning” which in ROBLOX terms could mean anything. There is zero reason to not have made this change optional it would take seconds of effort and if the attacker were able to get into someones account to make the change then they wouldn’t have needed it anyway because they’re ALREADY in the account.
The issue is that in this instance, the change is actually highly beneficial for 95% of users (regular users who are often the target of cookie theft)
This won’t change a thing, still see cookies being logged by people who have circumvented the system or a shift to just people stealing account credentials/emails which is soooo much better. This was a reactionary update to the bad PR regarding ROBLOX outsourced support helping bad actors get account information behind the scenes to cover their you-know-whats and it’s obvious.
Uhu
Back to reality: recommend just setting up a few feature requests for the endpoints you need to reach via ApiKey. It’s not worth your time to waste energy on “big bad corp” stories, let’s be constructive.
To be entirely clear: I’m talking about the tinfoil-hattery that for some reason this change would be related to that. It’s “big bad corp” talk that isn’t based on anything.
Can assure you this change was made for security reasons, not to counter bad press lol.
This update was rolled out to everyone.
There is a way to fix it but, you need a VPS server which I cannot afford.
For those of you looking for a “free” option, Google Cloud includes a e2.micro
VM in its Always Free Tier along with one static IP. However, you have to select HDD as its persistent disk.
Link to the relevant Free Tier section: Google Cloud Free Program
A word of caution, this is what is available (not my recommendation). Google can change its free tier at will, so might wanna be careful. Unfortunately, you will need a credit card for the purpose of verification.
It wasn’t rolled out to everyone because I don’t have VPS and it is still working fine for me.
This has been a solid solution, would highly recommend.
It would just charge you after 300$ free trial.