generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
We use cookies to offer you a better experience. By using Roblox.com, you are agreeing to our Privacy and Cookie Policy.
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: Off-Topic a little? Question about ROBLOX Site

Previous Thread :: Next Thread 
Blaze_Pizza is not online. Blaze_Pizza
Joined: 29 Oct 2011
Total Posts: 1908
10 Jan 2017 09:01 PM
Hey,
Many people are getting compromised via the cookies stealing (roblosecurity), and was wondering why ROBLOX uses cookies instead of sessions to store info?
Report Abuse
AggressiveCatch is not online. AggressiveCatch
Joined: 17 Jul 2011
Total Posts: 5840
10 Jan 2017 09:05 PM
because cookies enable you to stay logged in for a prolonged period of time

but you'd have to ask roblox, none of us would know
Report Abuse
Blaze_Pizza is not online. Blaze_Pizza
Joined: 29 Oct 2011
Total Posts: 1908
10 Jan 2017 09:06 PM
Same with sessions.
I never use cookies, as they can be manipulated and it's risky unless you know what you're doing.
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
10 Jan 2017 09:11 PM
The cookie has the HttpOnly flag set. Chrome plugins can read these though which is why they're being stolen.
Report Abuse
Blaze_Pizza is not online. Blaze_Pizza
Joined: 29 Oct 2011
Total Posts: 1908
10 Jan 2017 09:14 PM
Still.
Cookies can be modified, and tbh there is no use for them (that I see right now)
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
10 Jan 2017 09:15 PM
They probably are sessions though, maybe the cookie is just a mapping between you and some value on the server of who's logged in. Cookies are meant to store information in general on the client, but maybe the only thing roblosecurity is storing is a unique identifier?
Report Abuse
foreverpower is not online. foreverpower
Joined: 05 Feb 2011
Total Posts: 5578
10 Jan 2017 09:15 PM
What exactly are you talking about? Sessions are maintained BY cookies. Roblox can't account for every stupid scam kids fall for, sorry.


Report Abuse
Wowgnomes is online. Wowgnomes
Joined: 27 Sep 2009
Total Posts: 26255
10 Jan 2017 09:16 PM
1. How does recoding their site, partially, cause them to increase income?

2. With double verification sign in, it is solely upon a user if their account gets compromised.

While this update may prevent some accounts from being stolen, there are many ways in which accounts are stolen and I bet this isn't the highest reason.


Report Abuse
Froast is not online. Froast
Joined: 12 Mar 2009
Total Posts: 3134
10 Jan 2017 09:17 PM
Going with foreverpower on this one, what are you even trying to say?

There is nothing wrong with cookies: HttpOnly means they are sufficiently protected by the browser
Downloading sketchy chrome extensions even when they specifically warn you the extension has direct access to all your cookies is a problem that is not ROBLOX's fault
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
10 Jan 2017 09:18 PM
"2. With double verification sign in, it is solely upon a user if their account gets compromised."
Having their roblosecurity cookie gets you passed 2FA last I checked.
Report Abuse
Blaze_Pizza is not online. Blaze_Pizza
Joined: 29 Oct 2011
Total Posts: 1908
10 Jan 2017 09:19 PM
@Forever
What are you talking about..
Here look:

A cookie is set like this:
setcookie("name","value",time()+$int);

Whereas a session is set like this:
$_SESSION['sessionname'] = $var;


They are completely different, tho sessions can do anything a cookie can. (Or most)
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
10 Jan 2017 09:19 PM
Yes Froast but it's entirely possible to make it impossible to get into someone else's account just because you have that cookie.
Report Abuse
foreverpower is not online. foreverpower
Joined: 05 Feb 2011
Total Posts: 5578
10 Jan 2017 09:23 PM
Yes, that is how they are set in PHP, but PHP is still using a cookie to maintain the session, that part of it is just hidden.


Report Abuse
Blaze_Pizza is not online. Blaze_Pizza
Joined: 29 Oct 2011
Total Posts: 1908
10 Jan 2017 09:23 PM
Froast?
I aint froast.

True, but sessions make it MUCH simpler
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
10 Jan 2017 09:23 PM
I was talking to froast, not you
Report Abuse
Blaze_Pizza is not online. Blaze_Pizza
Joined: 29 Oct 2011
Total Posts: 1908
10 Jan 2017 09:27 PM
@Froast

This is my stance.
I prefer sessions, because the actual values are hidden from the user. You control when the data expires.

A good Q&A is also here..
https://twitter.com/JustifiedCube/status/819022683392221184

It's a neat response
Report Abuse
foreverpower is not online. foreverpower
Joined: 05 Feb 2011
Total Posts: 5578
10 Jan 2017 09:27 PM
"True, but sessions make it MUCH simpler"

But it doesn't eliminate the security risk. I guess it might somewhat mitigate it because the session is not unique to the account and can be revoked.


Report Abuse
Blaze_Pizza is not online. Blaze_Pizza
Joined: 29 Oct 2011
Total Posts: 1908
10 Jan 2017 09:27 PM
@forever
Yes it does.
Session values can not be edited by the user
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
10 Jan 2017 09:28 PM
Regardless Roblox already uses sessions. How else does "Sign out of all other sessions Sign out" work?
Report Abuse
foreverpower is not online. foreverpower
Joined: 05 Feb 2011
Total Posts: 5578
10 Jan 2017 09:29 PM
"the actual values are hidden from the user."

That's no different from what Roblox does. But there will always be some way to reveal the underlying implementation if you go out of your way to do it.


Report Abuse
Blaze_Pizza is not online. Blaze_Pizza
Joined: 29 Oct 2011
Total Posts: 1908
10 Jan 2017 09:29 PM
You can easily edit cookies on roblox
Report Abuse
foreverpower is not online. foreverpower
Joined: 05 Feb 2011
Total Posts: 5578
10 Jan 2017 09:30 PM
I don't think you understand what I'm saying. PHP's underlying session implementation uses cookies to maintain the session across the website, and thus can be revealed in the same way that other cookies can be revealed.


Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
10 Jan 2017 09:31 PM
^
Report Abuse
Froast is not online. Froast
Joined: 12 Mar 2009
Total Posts: 3134
10 Jan 2017 09:31 PM
I have concluded that OP has no idea what he is talking about. PHP sessions are variables stored on the server, not the client, and guess how it identifies the current user to produce relevant session files? That's right, a cookie names "PHPSESSID", the ROBLOX cookie is no different: it's simply an identifying session which ROBLOX uses to then retrieve user info on the server.

NO USER INFO VALUES ARE STORED ON THE CLIENT, just try to imagine in your brain that the ROBLOSECURITY cookie is actually a renamed PHPSESSID. ROBLOX _DOES_ use a session based system for god's sake, you are confusing things that aren't related.

And cnt, could you elaborate?
Report Abuse
cntkillme is not online. cntkillme
Joined: 07 Apr 2008
Total Posts: 44956
10 Jan 2017 09:33 PM
Yeah Frost. What they do server-side to validate if someone is logged in is just hash their current session value with the client's IP and compare that against the saved one (from when they login). The problem obviously is when your IP changes you logout, but it makes stealing accounts just by having that value nearly impossible no?
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image