Bug #64336
closed
FE-logins: For permanent sessions disable iplock-check
Added by Stefan Neufeind over 9 years ago.
Updated about 4 years ago.
Category:
Locking / Session Handling
Description
Currently if the iplock-check is enabled it is always checked. For frontend-logins there is the option to allow permanent-logins. As is obvious locking permanent logins to an IP makes no sense :-)
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36085
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36085
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36085
- Status changed from Under Review to Needs Feedback
Stefan Neufeind wrote:
As is obvious locking permanent logins to an IP makes no sense :-)
This is absolutely not obvious, in contrary it is a false assumption.
Please read my comment on https://review.typo3.org/#/c/36085/ for further explanations.
As we cannot just assume what is claimed here, do we really need yet another config option to respect an edge case?
As the Patch is Abandoned, what is the state of this issue? Closing as Won't fix?
- Status changed from Needs Feedback to New
Imho we need some way to make permanent logins a working solution, yes. (I don't want to argue whether you shouldn't use permanent logins at all etc. - it is there.)
So how can we address this? I'm available to discuss it if somebody wants.
- Category changed from Frontend to Locking / Session Handling
this hit me another time, permanent sessions but ip-lock active sigh
- Status changed from New to Rejected
Hey Stefan,
we reworked this locking check for v10, but also disabled it for TYPO3 v10 by default. I strongly recommend to NOT use IP locking anymore, and I'd like to remove it from Core in v11 (could be extracted into an extension). I just don't see an added security layer to it (discussed witih the security team) and with the rise of IPv6 + Happy Eyeballing this feature is doomed to be error prone.
The review was abandoned as having another config option is not going to happen - I recommend closing this issue. Feel free to re-open the issue if you want to pick this concept up again, or contact me directly.
Also available in: Atom
PDF