View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 514 | Composr | core | public | 2012-05-27 13:13 | 2021-03-14 23:48 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Priority | normal | Severity | feature | ||
| Status | closed | Resolution | won't fix | ||
| Summary | 514: Option to salt login cookies against IP address | ||||
| Description | Currently if a login cookie is stolen you'd need to change your password. I think that is consistent with what people would expect - if they log out of one machine, or if their ISP changes their IP address, they expect these optional login cookies to keep them logged in. However, going forward we will be moving to IP6 and not using proxies and DHCP so much, so we could reasonable make login cookies tied to a particular IP address. | ||||
| Tags | Type: Security | ||||
| Attach Tags | |||||
| Time estimation (hours) | 3 | ||||
| Sponsorship open | |||||
|
|
Actually this proposal would break things for mobile/laptop users. Maybe the "remember me" option should be a list: "no, yes but only on this IP address, yes for any roaming IP address". Problem with that is that it is UI bloat, so should be optional. Maybe we can move it into a question dialog that opens when submitting the login, and include the cookie privacy warning on that too. We're talking more like 6 hours work then though. |
|
|
Also considering salting to user agent. |
|
|
This is really tricky. Most users won't have a static IP. It may take time to change, but if we hashed to it we would be logging users out even if they always are using the same DSL/Cable connection. Definitely with wifi and cellular though. User-agents also aren't stable. If browsers are upgraded it will change, but also some browsers change their user agent to trick sites into displaying in different ways (at least Edge does). |
|
|
I'll drop this issue, but I've added a note in 1387 (2FA) that a 2FA account should salt cookies by IP and user-agent. If this causes some logins to be lost more often that's reasonable and an expected trade-off for someone who set up 2FA. The sessions themselves won't be lost. This is probably very much in line with how the "Remember this machine" option works on 2FA logins, as opposed to just classic "Remember me". |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-01-27 17:53 | Chris Graham | Note Added: 0006919 | |
| 2021-01-27 18:03 | Chris Graham | Relationship added | related to 1387 |
| 2021-03-14 23:42 | Chris Graham | Note Added: 0006993 | |
| 2021-03-14 23:48 | Chris Graham | Assigned To | => Chris Graham |
| 2021-03-14 23:48 | Chris Graham | Status | Not Assigned => Closed |
| 2021-03-14 23:48 | Chris Graham | Resolution | open => won't fix |
| 2021-03-14 23:48 | Chris Graham | Note Added: 0006994 |
