You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This likely affects mobile users who change 4G/5G connection towers and receive a new IP address in the process. Our digid-eherkenning library has an additional security mechanism to protect against session hijacking, which results in an aborted DigiD assertion consumer view.
It doesn't happen frequently, the main concern I have is if the end-user gets useful error feedback to inform them to "try again" or if they get a generic/cryptic error.
It should be easy to reproduce this by:
Initiate a DigiD login
Before completing the digid login, switch off wifi so you use your mobile connection (and thus force a different IP address)
Complete the login process which sends you back to our backend
Refinement: Agreement to remove the IP-check in the library to prevent this issue. Security implications are covered by session-protection and allowing an IP-change gives a better user experience. Also, the exception should be templated (or not stringified) to allow stacking in Sentry.
Sentry 343314
This likely affects mobile users who change 4G/5G connection towers and receive a new IP address in the process. Our digid-eherkenning library has an additional security mechanism to protect against session hijacking, which results in an aborted DigiD assertion consumer view.
It doesn't happen frequently, the main concern I have is if the end-user gets useful error feedback to inform them to "try again" or if they get a generic/cryptic error.
It should be easy to reproduce this by:
Relevant code handling this:
open-forms/src/openforms/authentication/contrib/digid/views.py
Line 73 in 9ff5f75
The text was updated successfully, but these errors were encountered: