IP Changes Invalidate Cookie

Here’s my take on this:
For security reasons, this is a good change - if executed properly it can completely prevent cookie logging.

I would hope cookies are invalidated if the IP’s general location changes - if it invalidated when your IP changed at all, that would make Roblox more or less unusable on cell networks or on mobile.

The problem is that this change was rolled out before web API developers had alternatives to using cookies for web endpoints. Before rolling out this change, Roblox should have at least alerted web developers through an announcement. Open Cloud lacks all of the APIs that we use with cookie-based authentication.

The least Roblox could do in this transition period would be to add a toggle to disable this security feature.

27 Likes

This is honestly a great feature, I still see a problem with people, who actually need it with vpns.

1 Like

Absolutely; even if this was the case, it would almost certainly kill any cloud based CI testing suite for API wrappers, let alone developers intentionally moving their cookie to a dedicated VPS.

Oh are the hacky workarounds going to be fun to implement…

5 Likes

Um, that’s probably why you should implement a cookie pool whenever the ROBLOX Account Cookie expires? This is what I do. :man_shrugging:

Hence, it’ll grab the new ROBLOX Account Cookie, and use it, repitition.

I’m not sure you realize that every single one of those cookies are invalidated??

3 Likes

From time to time, I still run CI testing for noblox.js either on my laptop or on GitHub Codespaces, neither of which are capable of maintaining a single IP address for long periods of time. This will be a major stepback for API libraries, especially given that there are still no change logs and no proper authentication system to access the majority of endpoints that API wrappers rely on.


@IDoLua I do research with private information for my work, and I'm not allowed to not use a VPN while those files are on my laptop or even check my work email. I absolutely need a VPN to access that stuff, so no, it's not just for people with poor connectivity.
14 Likes

I have XFinity and from what I know, the IP given is static and unless you call, you have it forever. So this didn’t effect me because my stuff all runs in VMs on a server in my house but I see how this is bad for people using services like Linode, Vultr, or Digital Ocean.

A solution to people stealing cookies should be what Discord has for developer applications. It would help a lot. To stop fakes they can make the name of the application the same parameters for usernames so that it isn’t the same.

2 Likes

This change has caused at least four of my data acquisition bots to break for my site Rolimon’s.

I ran a quick test where I did the following:

  1. Logged into an account on a desktop VPS
  2. Copied the login cookie to a bot on a headless VPS
  3. Sent a GET request the economy API from the bot on the VPS

The result was that I got a 401 status code indicating I was denied access, and when I refreshed the Roblox page I had left open on the desktop VPS, I was logged out.

Apparently a simple GET request sent from a different IP address causes the session to be invalidated.

This is an issue for me because my bot systems are headless and I don’t think it’s possible to log into Roblox from them programmatically because they’ll likely need a captcha to be completed, but I won’t be able to in a headless environment.

33 Likes

This is a good change because it prevents people from scamming cookies

1 Like

That explains my pains with my game’s github CI throwing HTTP 400 errors when I try to publish…

Unfortunately the community tooling hasn’t caught up with the cloud API yet, so there’s still a bit of reliance on cookie-based authentication, and this is definitely a detrimental change. Not to mention I believe some tooling CI uses cookie authentication to be able to run studio for testing. (since it requires authentication)

3 Likes

Yeah, but it would be much better if this could be an option for all users.

1 Like

This is a feature that should have been done years ago, it’s about time they did something to actually prevent account theft.

They need to get this rolled out to 100% as soon as possible.

Next thing we need is the ability to require the account pin for sending/accepting trades and making purchases.

3 Likes

It’s already rolled out, and as much as I agree with your statement you also need to understand the side-effects where the users that play VPN/VM will have to login every time. Developers that gather data for their game through Roblox API’s will have trouble with that.

So, this should have been optional.

1 Like

I use a VPN too but allowing it to be an option is just compromising security for convenience and leaves open the ability for scammers to use social engineering tactics for getting people to use the setting and allow IP changes.

Well, I think at this point they would rather make .exe files or social engineer their way into making you send the trade/Robux to them.

2 Likes

I personally never got hacked where someone has got my .ROBLOSECURITY cookie.
It was more about loop-holes and tricks that I/Roblox Support fell for.

2 Likes

Making this optional would bring more benefit to people rather than harm.

5 Likes

Vouch. Xfinity keeps your IP static.

Verizon on the other hand. If your ONT loses power, you will have a new IP generated. I went from a server in Dallas to one in Richmond. This would be very annoying to loose my logged in account on verizon networks just because my network lost power.

2 Likes

Yea, for users and studio users, this is a great update! But there is a whole community that uses Roblox API in projects and websites and such, who rely on logging in with a cookie that won’t expire so they can grab data. This update was pushed without being announced and gave no secondary solution to API users like most of us on this thread (including myself)

3 Likes

Yeah I guess an option is more preferable as someone above mentioned.

3 Likes