|
| 10 Jan 2017 09:01 PM |
Hey, Many people are getting compromised via the cookies stealing (roblosecurity), and was wondering why ROBLOX uses cookies instead of sessions to store info? |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:05 PM |
because cookies enable you to stay logged in for a prolonged period of time
but you'd have to ask roblox, none of us would know |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:06 PM |
Same with sessions. I never use cookies, as they can be manipulated and it's risky unless you know what you're doing. |
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 10 Jan 2017 09:11 PM |
| The cookie has the HttpOnly flag set. Chrome plugins can read these though which is why they're being stolen. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:14 PM |
Still. Cookies can be modified, and tbh there is no use for them (that I see right now)
|
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 10 Jan 2017 09:15 PM |
| They probably are sessions though, maybe the cookie is just a mapping between you and some value on the server of who's logged in. Cookies are meant to store information in general on the client, but maybe the only thing roblosecurity is storing is a unique identifier? |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:15 PM |
What exactly are you talking about? Sessions are maintained BY cookies. Roblox can't account for every stupid scam kids fall for, sorry.
|
|
|
| Report Abuse |
|
|
Wowgnomes
|
  |
| Joined: 27 Sep 2009 |
| Total Posts: 26255 |
|
|
| 10 Jan 2017 09:16 PM |
1. How does recoding their site, partially, cause them to increase income?
2. With double verification sign in, it is solely upon a user if their account gets compromised.
While this update may prevent some accounts from being stolen, there are many ways in which accounts are stolen and I bet this isn't the highest reason.
|
|
|
| Report Abuse |
|
|
Froast
|
  |
| Joined: 12 Mar 2009 |
| Total Posts: 3134 |
|
|
| 10 Jan 2017 09:17 PM |
Going with foreverpower on this one, what are you even trying to say?
There is nothing wrong with cookies: HttpOnly means they are sufficiently protected by the browser Downloading sketchy chrome extensions even when they specifically warn you the extension has direct access to all your cookies is a problem that is not ROBLOX's fault |
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 10 Jan 2017 09:18 PM |
"2. With double verification sign in, it is solely upon a user if their account gets compromised." Having their roblosecurity cookie gets you passed 2FA last I checked. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:19 PM |
@Forever What are you talking about.. Here look:
A cookie is set like this: setcookie("name","value",time()+$int);
Whereas a session is set like this: $_SESSION['sessionname'] = $var;
They are completely different, tho sessions can do anything a cookie can. (Or most) |
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 10 Jan 2017 09:19 PM |
| Yes Froast but it's entirely possible to make it impossible to get into someone else's account just because you have that cookie. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:23 PM |
Yes, that is how they are set in PHP, but PHP is still using a cookie to maintain the session, that part of it is just hidden.
|
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:23 PM |
Froast? I aint froast.
True, but sessions make it MUCH simpler |
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 10 Jan 2017 09:23 PM |
| I was talking to froast, not you |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:27 PM |
@Froast
This is my stance. I prefer sessions, because the actual values are hidden from the user. You control when the data expires.
A good Q&A is also here.. https://twitter.com/JustifiedCube/status/819022683392221184
It's a neat response |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:27 PM |
"True, but sessions make it MUCH simpler"
But it doesn't eliminate the security risk. I guess it might somewhat mitigate it because the session is not unique to the account and can be revoked.
|
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:27 PM |
@forever Yes it does. Session values can not be edited by the user |
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 10 Jan 2017 09:28 PM |
| Regardless Roblox already uses sessions. How else does "Sign out of all other sessions Sign out" work? |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:29 PM |
"the actual values are hidden from the user."
That's no different from what Roblox does. But there will always be some way to reveal the underlying implementation if you go out of your way to do it.
|
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:29 PM |
| You can easily edit cookies on roblox |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2017 09:30 PM |
I don't think you understand what I'm saying. PHP's underlying session implementation uses cookies to maintain the session across the website, and thus can be revealed in the same way that other cookies can be revealed.
|
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
| |
|
Froast
|
  |
| Joined: 12 Mar 2009 |
| Total Posts: 3134 |
|
|
| 10 Jan 2017 09:31 PM |
I have concluded that OP has no idea what he is talking about. PHP sessions are variables stored on the server, not the client, and guess how it identifies the current user to produce relevant session files? That's right, a cookie names "PHPSESSID", the ROBLOX cookie is no different: it's simply an identifying session which ROBLOX uses to then retrieve user info on the server.
NO USER INFO VALUES ARE STORED ON THE CLIENT, just try to imagine in your brain that the ROBLOSECURITY cookie is actually a renamed PHPSESSID. ROBLOX _DOES_ use a session based system for god's sake, you are confusing things that aren't related.
And cnt, could you elaborate? |
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 10 Jan 2017 09:33 PM |
| Yeah Frost. What they do server-side to validate if someone is logged in is just hash their current session value with the client's IP and compare that against the saved one (from when they login). The problem obviously is when your IP changes you logout, but it makes stealing accounts just by having that value nearly impossible no? |
|
|
| Report Abuse |
|
|