#513 - Usergroup setting to limit sessions to full IP
0 guests and 0 members have recently viewed this.
Leader-board Top Weekly Earners
The top 3 point earners from 14th Dec 2025 to 21st Dec 2025.
| PDStig |
|
  |
|---|---|---|
| Gabri |
|
 |
| sholzy |
|
 |
Coming soon…
There are no events at this time
"Ideally" we would use CIDR ranges (similar to subnet masks) to identify what part of the IP is a network, and limit to that. However:
- that would need to involve a WHOIS lookup (library: https://github.com/sparc/phpWhois.org). This is pretty over-complex and a performance concern
- if we detect a network is large, actually we DON'T want to allow any IP on that network to work with the session. Imagine a huge IP address network of a very common ISP. We'd be degrading security a lot to allow any IP on that network.
I don't also love the idea of coding extra security via usergroup settings. If Bob is made an admin but Bob moves between wi-fi and cellular on their Chromebook, Bob should not get logged out each time this happens just because he's an admin - him having admin responsibilities may make it more likely he'll be accessing the site a lot when he's out and about (although he could use a VPN which might be nice).
It's quite a complex issue.
I think realistically we have only 3 reasonable configuration scenarios for a site, all currently supported in v10:
- No IP bind for sessions
- IP bound to first 3 octets, final octet is free
- IP bound to all 4 octets
When I thought more I realised we were never actually trying to make sure someone is on the same network. The situation of IP drift was designed for *transparent proxy servers*, which have similar IPs and are randomised. We found people were sometimes subjected to this. It's not the same thing.
Most software doesn't bind IPs to sessions. So we already have extra security. And we already allow people to raise up or lower down the default as per the 3 scenarios I listed.
Adding extra network requirements for admins specifically, it's just not really reasonable in the real world because the limits people have are more to do with the context people find themselves in than who they are in terms of access. And I don't like adding more configuration and code complexity for a debatable improvement. And as I said, most software doesn't even have an IP restriction here. The key thing is session IDs should not be stealable, and in v11 we are protecting them even better.
Also of note is that if someone is logged out due to an IP change, they'll be logged right back in automatically if they had selected "remember me".