Project

General

Profile

Actions

Task #88216

closed

Remove lockIP option

Added by Benni Mack over 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
System/Bootstrap/Configuration
Start date:
2019-04-26
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

As checked in Slack, handling "Happy Eyeballs" issue with switching IPv4 and IPv6 contradicts with IPlock

(1) https://en.wikipedia.org/wiki/Happy_Eyeballs
(2) https://security.stackexchange.com/questions/139952/why-arent-sessions-exclusive-to-an-ip-address

Answer from the hoster: apparently it's by design and it's called 'Happy Eyeballs' described in RFC8305 (1). Simple explanation: the network constantly looks for the best possible connection and thereby switches between IPv4 and IPv6. Obviously this doesn't go well with tying a session to an IP, which, apparently, is also controversial (2). I suppose I won't stick to the IPlock as much as I used to. Learned something today :wink:

Question is --- should we get rid of this IPlock, as it only works with IPv4 and it's basically unusable with IPv4+IPv6 Round Robin. Adding IPv6 won't help much here...


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #89869: IP Lock feature broken by modern IPv6 - Should be disabled by default or refactoredClosed2019-12-06

Actions
Actions #1

Updated by Christoph Lehmann over 5 years ago

We often removed the IP restriction because we load balanced outgoing connections through multiple ISPs.

In my opinion secure session cookies (with https flaq) is enough security.

Actions #2

Updated by Frank Nägler over 5 years ago

  • Description updated (diff)
Actions #3

Updated by Rasmus Larsen almost 5 years ago

  • Related to Bug #89869: IP Lock feature broken by modern IPv6 - Should be disabled by default or refactored added
Actions #4

Updated by Susanne Moog over 4 years ago

  • Category set to System/Bootstrap/Configuration
Actions #5

Updated by Susanne Moog over 4 years ago

  • Status changed from New to Accepted
Actions #6

Updated by Benni Mack over 4 years ago

  • Status changed from Accepted to Closed

it's disabled by default in TYPO3 v10

Actions

Also available in: Atom PDF