#514 - Option to salt login cookies against IP address
-
By Chris Graham
- Added
- 0 views
| Identifier | #514 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Option to salt login cookies against IP address |
| Status | Closed (rejected) |
| Tags |
Type: Security (custom) |
| Handling member | Chris Graham |
| Addon | core |
| Description | Currently if a login cookie is stolen you'd need to change your password. I think that is consistent with what people would expect - if they log out of one machine, or if their ISP changes their IP address, they expect these optional login cookies to keep them logged in.
However, going forward we will be moving to IP6 and not using proxies and DHCP so much, so we could reasonable make login cookies tied to a particular IP address. |
| Steps to reproduce | |
| Related to | |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
Maybe the "remember me" option should be a list: "no, yes but only on this IP address, yes for any roaming IP address".
Problem with that is that it is UI bloat, so should be optional. Maybe we can move it into a question dialog that opens when submitting the login, and include the cookie privacy warning on that too. We're talking more like 6 hours work then though.
Most users won't have a static IP. It may take time to change, but if we hashed to it we would be logging users out even if they always are using the same DSL/Cable connection. Definitely with wifi and cellular though.
User-agents also aren't stable. If browsers are upgraded it will change, but also some browsers change their user agent to trick sites into displaying in different ways (at least Edge does).