Bug #64336
closedFE-logins: For permanent sessions disable iplock-check
0%
Description
Currently if the iplock-check is enabled it is always checked. For frontend-logins there is the option to allow permanent-logins. As is obvious locking permanent logins to an IP makes no sense :-)
Updated by Gerrit Code Review over 9 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36085
Updated by Gerrit Code Review over 9 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36085
Updated by Gerrit Code Review over 9 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36085
Updated by Helmut Hummel about 9 years ago
- Status changed from Under Review to Needs Feedback
Stefan Neufeind wrote:
As is obvious locking permanent logins to an IP makes no sense :-)
This is absolutely not obvious, in contrary it is a false assumption.
Please read my comment on https://review.typo3.org/#/c/36085/ for further explanations.
As we cannot just assume what is claimed here, do we really need yet another config option to respect an edge case?
Updated by Alexander Opitz almost 9 years ago
As the Patch is Abandoned, what is the state of this issue? Closing as Won't fix?
Updated by Stefan Neufeind over 8 years ago
- Status changed from Needs Feedback to New
Imho we need some way to make permanent logins a working solution, yes. (I don't want to argue whether you shouldn't use permanent logins at all etc. - it is there.)
So how can we address this? I'm available to discuss it if somebody wants.
Updated by Susanne Moog over 6 years ago
- Category changed from Frontend to Locking / Session Handling
Updated by Stefan Neufeind almost 5 years ago
this hit me another time, permanent sessions but ip-lock active sigh
Updated by Benni Mack about 4 years ago
- Status changed from New to Rejected
Hey Stefan,
we reworked this locking check for v10, but also disabled it for TYPO3 v10 by default. I strongly recommend to NOT use IP locking anymore, and I'd like to remove it from Core in v11 (could be extracted into an extension). I just don't see an added security layer to it (discussed witih the security team) and with the rise of IPv6 + Happy Eyeballing this feature is doomed to be error prone.
The review was abandoned as having another config option is not going to happen - I recommend closing this issue. Feel free to re-open the issue if you want to pick this concept up again, or contact me directly.