We apologize for the instability of composr.app and appreciate your patience. We are working on the statistics addon and trying to find an optimal way to store and render data. Unfortunately, we have yet to find a solution that can handle the traffic (and therefore, tens of millions of statistical records) of composr.app. We're working hard on one.
#514 - Option to salt login cookies against IP address
Actually this proposal would break things for mobile/laptop users.
Maybe the "remember me" option should be a list: "no, yes but only on this IP address, yes for any roaming IP address".
Problem with that is that it is UI bloat, so should be optional. Maybe we can move it into a question dialog that opens when submitting the login, and include the cookie privacy warning on that too. We're talking more like 6 hours work then though.
Most users won't have a static IP. It may take time to change, but if we hashed to it we would be logging users out even if they always are using the same DSL/Cable connection. Definitely with wifi and cellular though.
User-agents also aren't stable. If browsers are upgraded it will change, but also some browsers change their user agent to trick sites into displaying in different ways (at least Edge does).
I'll drop this issue, but I've added a note in #1387 (2FA) that a 2FA account should salt cookies by IP and user-agent. If this causes some logins to be lost more often that's reasonable and an expected trade-off for someone who set up 2FA. The sessions themselves won't be lost. This is probably very much in line with how the "Remember this machine" option works on 2FA logins, as opposed to just classic "Remember me".
Maybe the "remember me" option should be a list: "no, yes but only on this IP address, yes for any roaming IP address".
Problem with that is that it is UI bloat, so should be optional. Maybe we can move it into a question dialog that opens when submitting the login, and include the cookie privacy warning on that too. We're talking more like 6 hours work then though.
Most users won't have a static IP. It may take time to change, but if we hashed to it we would be logging users out even if they always are using the same DSL/Cable connection. Definitely with wifi and cellular though.
User-agents also aren't stable. If browsers are upgraded it will change, but also some browsers change their user agent to trick sites into displaying in different ways (at least Edge does).