TYPO3 Core

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36085

Stefan Neufeind wrote:

As is obvious locking permanent logins to an IP makes no sense :-)

This is absolutely not obvious, in contrary it is a false assumption.

Please read my comment on https://review.typo3.org/#/c/36085/ for further explanations.

As we cannot just assume what is claimed here, do we really need yet another config option to respect an edge case?

Imho we need some way to make permanent logins a working solution, yes. (I don't want to argue whether you shouldn't use permanent logins at all etc. - it is there.)

So how can we address this? I'm available to discuss it if somebody wants.

Hey Stefan,

we reworked this locking check for v10, but also disabled it for TYPO3 v10 by default. I strongly recommend to NOT use IP locking anymore, and I'd like to remove it from Core in v11 (could be extracted into an extension). I just don't see an added security layer to it (discussed witih the security team) and with the rise of IPv6 + Happy Eyeballing this feature is doomed to be error prone.

The review was abandoned as having another config option is not going to happen - I recommend closing this issue. Feel free to re-open the issue if you want to pick this concept up again, or contact me directly.