You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ignore_login_ip as a configuration setting is a historic feature to improve security of logged in sessions. WIth HTTPS this is rather superfluous but is still enabled by default and can present issues to users who sit behind some sort of round-robin NAT where their IP address can quickly change between requests. It may be worth keeping ignore_login_ip enabled if HTTPS is not enabled but it creates more issues than it solves if HTTPS is enabled.
The text was updated successfully, but these errors were encountered:
I think this is a sensible option / update, especially now there are services such as LetsEncrypt that offer free HTTPS certificates.
When I first read the title of this question, I mentally parsed it as: ignore login ip if a user is logging in over https
rather than: set this global system param if the configuration supports https
The first of these feels slightly less risky - but I think it's marginal - so happy with either interpretation.
I have reviewed the code and it is only referenced in one place so I was planning to just modify the if statement to say ignore_login_ip or securehost is set.
ignore_login_ip
as a configuration setting is a historic feature to improve security of logged in sessions. WIth HTTPS this is rather superfluous but is still enabled by default and can present issues to users who sit behind some sort of round-robin NAT where their IP address can quickly change between requests. It may be worth keeping ignore_login_ip enabled if HTTPS is not enabled but it creates more issues than it solves if HTTPS is enabled.The text was updated successfully, but these errors were encountered: