User Sessions are bound to IP #113
Comments
|
Good point. Let's change this behavior after we done our first baby steps 👶 |
|
Sounds very reasonable to increase convenience 🇰🇵 |
|
For security reasons it makes sense to bind the session to things like the remote address, but for user convenience it doesn't ;) |
|
Dann aber auch im richtigem Kontext: OWASP/phpsec#84 (comment) |
|
So kann man es auch machen, wobei GeoIP auch oft unbrauchbare Ergebnisse liefert, was dann wieder zu einer schlechten User Experience führen kann. Eine andere Möglichkeit wäre z.B. auf die ersten beiden zwei Octets des Subnetzes der IP des Nutzers zu matchen. Allerdings ist das wieder ein Problem, wenn der ISP Größer als /16 verteilt. Und was natürlich noch schwierig ist: was passiert wenn Nutzer über Tor o.ä. kommen, wo "user cannot travel 1000 miles in 2 min" nicht greift? |
File: controllers/basectrl.go
Line: 28 - SESSION_IP = "ip"
It is not a good idea to bind sessions to an IP.
If the user is on a mobile network, it is likely that his IP will change if he canges cellphone-cells.
(For example: a user is on the public transportation and tries to do a reservation. He will be logged out again and again, because his phone is constantly getting a new IP because of location changes.)
The text was updated successfully, but these errors were encountered: