IP Changes Invalidate Cookie

This is a good change because it prevents people from scamming cookies

That explains my pains with my game’s github CI throwing HTTP 400 errors when I try to publish…

Unfortunately the community tooling hasn’t caught up with the cloud API yet, so there’s still a bit of reliance on cookie-based authentication, and this is definitely a detrimental change. Not to mention I believe some tooling CI uses cookie authentication to be able to run studio for testing. (since it requires authentication)

Yeah, but it would be much better if this could be an option for all users.

This is a feature that should have been done years ago, it’s about time they did something to actually prevent account theft.

They need to get this rolled out to 100% as soon as possible.

Next thing we need is the ability to require the account pin for sending/accepting trades and making purchases.

It’s already rolled out, and as much as I agree with your statement you also need to understand the side-effects where the users that play VPN/VM will have to login every time. Developers that gather data for their game through Roblox API’s will have trouble with that.

So, this should have been optional.

I use a VPN too but allowing it to be an option is just compromising security for convenience and leaves open the ability for scammers to use social engineering tactics for getting people to use the setting and allow IP changes.

Well, I think at this point they would rather make .exe files or social engineer their way into making you send the trade/Robux to them.

I personally never got hacked where someone has got my .ROBLOSECURITY cookie.
It was more about loop-holes and tricks that I/Roblox Support fell for.

Making this optional would bring more benefit to people rather than harm.

Vouch. Xfinity keeps your IP static.

Verizon on the other hand. If your ONT loses power, you will have a new IP generated. I went from a server in Dallas to one in Richmond. This would be very annoying to loose my logged in account on verizon networks just because my network lost power.

Yea, for users and studio users, this is a great update! But there is a whole community that uses Roblox API in projects and websites and such, who rely on logging in with a cookie that won’t expire so they can grab data. This update was pushed without being announced and gave no secondary solution to API users like most of us on this thread (including myself)

Yeah I guess an option is more preferable as someone above mentioned.

Unfortunately I can’t see roblox making this an option, many people won’t understand it. Either way they need to do something, they can’t leave it this way.

I completely disagree. This should be an advanced setting that warns you about the risks and you have like to wait 10 seconds before confirming.

This could also be in the Open Cloud console, where normal players wouldn’t even run into it.

This completely ruins many 3rd party ROBLOX systems, and imo causes more damage than it fixes. People who are vulnerable to cookie logging are also probably vulnerable to being ratted, social engineered, etc.

This change is incredibly frustrating, but sadly shows how Roblox sees the developers who build outside integrations. With absolutely no warning made available to this change, and with Open Cloud’s APIs far from release, Roblox has just broken hundreds, if not more, of integrations that rely on cookies to rank in groups, monitor group security, and more.

This is a major issue for developers, and groups. It’s not always feasible to expect ranking to work on my services, or servers when they are scaled [meaning different machines/IP addresses handle requests]. We really need an alternative to .ROBLOSECURITY authentication or I hope this change is undone. I really hope to see an official response about this, as this is detrimental to all developers who create integrations with Roblox, and is hurting thousands of users who rely on these tools.

Cookies are typically meant to have an expiration date for security reasons. The idea is to automatically re-generate the cookie in the background upon its expiration to prevent bad actors from making use of the old one, while not forcing the user to re-authenticate.

Regarding the IP change cookie invalidation, you make a good point since some devs use cookies for automation purposes. Roblox should give us the ability to whitelist certain IPs to fix this issue while increasing the level of security with regards to cookies being stolen or given out.

I understand this change is overall to protect account security, but as stated a multitude of times in this post this really puts a huge strain on most forms of automation. I’m hoping Roblox is willing to reconsider this, or at the very least make a viable solution for people who legitimately use forms of automation. Even a heads up would of been nice and given me some time to create something that’s compliant with this change, but unfortunately myself and a lot of my friends are scrambling right now to ensure there isn’t too much downtime regarding various automation bots.

@xChris_vC and I run RocketApps. (application centre and Roblox API provider). We are noticing more requests failing than usual but still about 60%, maybe even a little more, goes through like usual.

We have no idea why some cookies got invalidated and others haven’t.

Due to the way that our system was designed, every request to the Roblox API is being sent from another IP address.

Are we certain Roblox is invalidating cookies based on the IP address they’re being created with (login)?

unknown-40511×572 35.7 KB

This is part of an A/B test of a new security feature. These sorts of things really should be announced prior to being a thing.

A decent chance this change wasn’t rolled to your remaining cookies. It must have only been rolled out to some % of Roblox users (which is well what A/B testing is).