Task #88216
closed
Remove lockIP option
0%
Description
As checked in Slack, handling "Happy Eyeballs" issue with switching IPv4 and IPv6 contradicts with IPlock
(1) https://en.wikipedia.org/wiki/Happy_Eyeballs
(2) https://security.stackexchange.com/questions/139952/why-arent-sessions-exclusive-to-an-ip-address
Answer from the hoster: apparently it's by design and it's called 'Happy Eyeballs' described in RFC8305 (1). Simple explanation: the network constantly looks for the best possible connection and thereby switches between IPv4 and IPv6. Obviously this doesn't go well with tying a session to an IP, which, apparently, is also controversial (2). I suppose I won't stick to the IPlock as much as I used to. Learned something today :wink:
Question is --- should we get rid of this IPlock, as it only works with IPv4 and it's basically unusable with IPv4+IPv6 Round Robin. Adding IPv6 won't help much here...
Updated by Christoph Lehmann almost 5 years ago
We often removed the IP restriction because we load balanced outgoing connections through multiple ISPs.
In my opinion secure session cookies (with https flaq) is enough security.
Updated by
Updated by Rasmus Larsen over 4 years ago
- Related to Bug #89869: IP Lock feature broken by modern IPv6 - Should be disabled by default or refactored added
Updated by Susanne Moog about 4 years ago
- Category set to System/Bootstrap/Configuration
Updated by Benni Mack about 4 years ago
- Status changed from Accepted to Closed
it's disabled by default in TYPO3 v10