Preventing Session Cookie Stealing on ROBLOX

moded · January 3, 2015, 5:25pm

Hi, so I think if we would implement a system like facebook has, would be perfect to prevent cookie stealing on roblox or atleast reduce it in a great amount.

WAY IT WORKS:

User logins into ROBLOX.
IP gets stored in a table.
Website constantly checks that the IP matches to the IP what was used to login.
If it detects a difference then it asks for the user pw to continue.
Profit!

Thanks for listening!

[size=1]~ Luckymaxer is awesome <3[/size]

Luckymaxer · January 3, 2015, 5:27pm

I’d love to see profit achieved on this one! :woohoo:

and cool, your 2nd post

[size=1]hi moded! yay for tiny print[/size]

Osyris · January 3, 2015, 6:34pm

Seems fairly straightforward, I wonder why this hasn’t been done in the past.

Good idea.

Corecii · January 3, 2015, 7:11pm

They do not do this because it creates problems for mobile users and users with IPs that change often. They even tried to turn this feature on once but a large enough group of users complained for them to revert it.

Velibor · January 3, 2015, 7:17pm

Not everyone has a static IP. So yes, this would fix the problem for a large amount of users. But sadly not all

TheKho · January 3, 2015, 9:35pm

This is something we’re actively thinking about. As has been pointed out, IP addresses can change and they can also be shared (think all the computers in a computer lab or in a library). Our thinking is that we need to address both scenarios. If you have additional thoughts/suggestions on how to tighten this up, please follow up to the thread.

moded · January 3, 2015, 9:35pm

Uh, dynamic ip at least lasts for quite a while (days-weeks). I mean if we want some extra security then we should ‘sacrifice’ some of our effort.

EDIT: Oh well, the library is gonna be quite of a problem yeah ;-(

Osyris · January 3, 2015, 10:07pm

I could be wrong, but I’d think the scenario of a shared IP is fairly rare?

Is there any other hardware/client information the browser can read that could be tracked in this way?
Honestly, I’d be fine with this being some sort of optional feature that requires a chrome extension or something to use.

Seranok · January 3, 2015, 11:50pm

Fixating on the user’s IP doesn’t really work for users with static addresses, as has been said many times.

The proper fix for this is to:
[ul]
[li]Enable SSL for all pages and set the SECURE flag on session cookies. This will prevent all sorts of over-the-network session stealing. But this might take extensive engineering effort.[/li]
[li]Provide users with a way to invalidate all sessions. That way if someone does manage to get into your account by social engineering or otherwise, you can kick them out. Preferably there would be a list of valid sessions like Github and other sites do.[/li]
[/ul]

And then for extra credit security allow an opt-in two factor authentication with your phone.

ArtemisTheDeer · January 3, 2015, 11:53pm

Why not tie the sessions to MAC addresses? MAC addressees don’t change (Unless spoofed, which is also possible with IP addresses).

Seranok · January 4, 2015, 12:09am

If ROBLOX were simply a game client, that would be a reasonable solution, but it’s not. There’s also the website component which is accessed from browsers, and browsers are not aware of MAC addresses.

Seranok · January 8, 2015, 7:34am

Well there’s now a “Sign out of all other Sessions” button under account settings. That should help.

Buddyism · January 8, 2015, 7:57am

[quote] Well there’s now a “Sign out of all other Sessions” button under account settings. That should help.

[/quote]

Are you sure that’s not for beta only? I don’t see it.

Master3395 · January 8, 2015, 12:34pm

Has to be some Alpha/beta testing on some accounts, i don’t have it.

RobloxSai · January 8, 2015, 7:11pm

The “Sign out of all Sessions” will be enabled for all users shortly. That feature is currently in beta to ensure that we don’t accidentally log off all of our users and of course for scaling concerns.

Goldamass · January 8, 2015, 7:17pm

Uh, what if the person who got into your account without permission clicks that button first?

Luckymaxer · January 8, 2015, 7:23pm

Is this password protected?

digpoe · January 8, 2015, 8:14pm

Is this password protected?[/quote]

Presuming the user who got in your account knows the password, it would be trivial for this to happen.

I propose that it should send an E-Mail to the account holder with a link to get back into their account in case this happens. Of course, if the E-Mail was stolen too, that wouldn’t be useful, but this should at least hold off password guessers.

triston220 · January 8, 2015, 8:34pm

[quote]
I could be wrong, but I’d think the scenario of a shared IP is fairly rare?

Is there any other hardware/client information the browser can read that could be tracked in this way?
Honestly, I’d be fine with this being some sort of optional feature that requires a chrome extension or something to use. [/quote]

Members that use a VPN might have a shared IP address, as will multiple users at a school for example.

I wonder if the roblox browser plug-in could be modified to retrieve some sort of HWID?

ReeseMcBlox · January 8, 2015, 8:37pm

We’re working on other ways to protect your account access, and protect your Inventory/Funds.