IP Changes Invalidate Cookie

I believe this is coming soon: Open Cloud API Keys Now Support Groups!

1 Like

Coming soon is not enough. This update breaks my applications and is also very counter intuitive - Roblox encourages us to authenticate with cookies when making API requests - even when we do not necessarily need to be authenticated, and gives us higher rate limits. This change is good for security but cannot be rolled out until there is another solution.

EDIT: Maybe we can see a solution as to whitelisting IPs, such as many other providers offer? This would allow me to whitelist my VPS.

4 Likes

What are you on about? There is only one time the captcha is needed which costs about 5 cents, and thats to retrieve the account cookie. The amount of members does not matter.

1 Like

Alot of services use multiple IP’s which would mean every time the service needs to do something on another IP it would need to complete a captcha, you can’t assume that Chris uses a fixed IP for everything.

2 Likes

Roblox decided to use a wrecking ball and destroy every application that uses their APIs with this update…

I use proxies for my ROBLOX projects constantly & with this brand new update coming into play, I receive 401s always & every cookie invalidates. This has to be possibly the worst update they have come up with… by far…

Please revert this update; all of these applications have gone into the wasteland after this update & which makes it impossible to use the API without getting rate-limited or receiving an unauthorised response.

3 Likes

That’s not how it works, if you’re running it on a VPS, probably do more research?

How this works is that it’ll grab a new Roblox account cookie if the cookie is invalid, this is repeated.

1 Like

God this is gonna mess up a ton of bots and websites.

What I would love to see is the Roblox team make it more easy for us to create applications with the web endpoints. Ngl the guide itself is not that clear for beginners.

1 Like

Just install some type of GUI (of the many we have) on this machine, and after that clean it up or disable.

1 Like

Why could they not just make 1 user per cookie, or just stop the hacker from logging in but without expiring the whole cookie? (This is just a question, if they can’t do that it’s ok.)

1 Like

Sorry for the late reply, but thank you for clarifying it. I didn’t even consider them.

2 Likes

I had this happen to me, took me a bit to realize this was why the authentication was never working.

Quick edit: @aze_rty provided a significantly better solution that works on lower-end servers. I didn’t take into consideration system resources for most situations where a lightweight VPS is all that’s necessary, so this solution isn’t very useful or helpful to most.

To solve this, I just used X11 forwarding over SSH to pop open Firefox and sign in that way. It’s extremely simple if you have the latest version of Windows 11 (Build 22000+) and WSL 2.

ssh -XC user@server from WSL 2 running Ubuntu 20.04 on Windows 11
-X enables X11 forwarding
-C is for data compression (loads everything a bit faster, but expect severe input delay and lag regardless if this is enabled)

After that, you install Firefox through your package manager and just run it. I can’t speak for what issues others may run into, but it was that simple for me.

4 Likes

I tried to reproduce this issue with two different VPNs on Edge browser but couldn’t do it. why is it not happening to me? is it fixed?

2 Likes

It’s either fixed or rolled out to only selected people.

1 Like

Try doing this with 0.5 mb of ram on a 3 dollar VPS and it wont go well.
Proxy into the webserver instead.

3 Likes

It’s out for group of users. It’s called A/B testing.

2 Likes

As if this is not the lazy way out to the security problem? This does not solve the issue of victims who have their credentials wholly compromised, and guess what, the same guys that used to steal the cookies will start stealing the credentials instead.

This does nothing to solve the issue of malicious users stealing currency and items, this is more aptly resolved with something such as 2FA on purchases, trades, etc. Steam does the same thing already, on IP change, instead of invalidating the entire user session, they simply make sure that all actions that involve a currency, item, or even account configuration require 2FA validation.

1 Like

I don’t really know what that’s supposed to prove, but okay.

1 Like

Oof. Yeah, I didn’t think that one through. I have a pretty crazy server that hosts a multitude of things. You’ve definitely got a significantly better solution, thanks!

I wanted to see how simple this was, and it’s super straightforward. I’ll also provide steps for that.

ssh -D <port> user@server (you can run this natively on Windows, no WSL needed)

You can then go into your browser settings and set your SOCKS5 proxy to 127.0.0.1:<port> and you’ll be connected! Watch out if you’re signed in to Roblox already however, because it’ll boot you out for having your IP changed.


Also a heads up to @AEW745, you shared a good chunk of your ROBLOSECURITY cookie so make sure that gets invalidated just in case. I also don’t really know anything of “TouchVPN” and it looks very suspicious at first glance, it could be feeding off your data so be wary of what you sign into with that.

1 Like

oh yeah dont be using touchvpn thats a “free vpn” on the chrome webstore its just a massive data harvesting app ive used it to just bypass school security systems lol

1 Like

I’d imagine this wasn’t officially announced as its sort of an account security change as this makes cookie logging near impossible which is awesome, but… they just kinda threw web devs, ranking bots, among other devs uner the bus… Ah roblox…

tldr; EPIC DUB for account security against cookie logging, sucks for web devs.

1 Like