-
Notifications
You must be signed in to change notification settings - Fork 287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not check the IP address with session protection disabled #1182
Do not check the IP address with session protection disabled #1182
Conversation
This allows the user to stay logged in if his IP changes. Fixes shaarli#1106
As the PR addresses (pun intended :) ) IPv6 privacy extensions, I'd suggest we:
Resources:
Related PHP libs: |
I don't understand your point, from my understanding there is no difference between how we treat IPv4 and IPv6 addresses. We use them to:
|
The point is that IPv6 behaves differently than IPv4, as local client address renewal is part of the protocol (vs. static local IPv4 addresses). I'm not sure how web frameworks handle this so it might be worth looking under the hood (and maybe switch to a well-maintained 3rd-party component to handle authentication?) |
Oh I didn't knew that. I'll look around for implementations, but I don't think we can find a third party lib which fits our needs and doesn't require a database. |
any update on this? as I am facing the same issue as well |
So, I looked at Symfony implementation, and read a few SO thread. Symfony includes two implementations, and none of them includes an IP check:
From my understanding, tying the IP to the authentication cookie is not such a good idea as it can change for valid reasons. And if the address changes with IPv6 protocol, then it can't work at all. In any case, I'm going to merge this, as it does not lower the security for users who have the option enabled, and as it prevents valid users to use the feature properly. A few threads: |
This allows the user to stay logged in if his IP changes.
Fixes #1106
Note: this setting labelled « Disabled protection » can obviously become a security issue.