Task #88216

Remove lockIP option

Added by Benni Mack 4 months ago. Updated 13 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
-
Start date:
2019-04-26
Due date:
% Done:

0%

TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

As checked in Slack, handling "Happy Eyeballs" issue with switching IPv4 and IPv6 contradicts with IPlock

(1) https://en.wikipedia.org/wiki/Happy_Eyeballs
(2) https://security.stackexchange.com/questions/139952/why-arent-sessions-exclusive-to-an-ip-address

Answer from the hoster: apparently it's by design and it's called 'Happy Eyeballs' described in RFC8305 (1). Simple explanation: the network constantly looks for the best possible connection and thereby switches between IPv4 and IPv6. Obviously this doesn't go well with tying a session to an IP, which, apparently, is also controversial (2). I suppose I won't stick to the IPlock as much as I used to. Learned something today :wink:

Question is --- should we get rid of this IPlock, as it only works with IPv4 and it's basically unusable with IPv4+IPv6 Round Robin. Adding IPv6 won't help much here...

History

#1 Updated by Christoph Lehmann 4 months ago

We often removed the IP restriction because we load balanced outgoing connections through multiple ISPs.

In my opinion secure session cookies (with https flaq) is enough security.

#2 Updated by Frank Naegler 13 days ago

  • Description updated (diff)

Also available in: Atom PDF