Bug #89869

IP Lock feature broken by modern IPv6 - Should be disabled by default or refactored

Added by Rasmus Larsen about 2 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Authentication
Start date:
2019-12-06
Due date:
% Done:

100%

TYPO3 Version:
9
PHP Version:
7.3
Tags:
ipv6, ipv4, sessions
Complexity:
Is Regression:
Sprint Focus:

Description

Typo3 ships, by default, with IP locking on its session, which locks frontend and backend sessions to the initial IP it came from.
While this feature can, in some scenarios, protect against session theft, eg. cases where an attacked gains access to the session information, but does not have full access to the victims IP.

Unfortunately this feature completely breaks setups using IPv6 as it's used. This is because of the "fast-fallback" or so-called Happy-eyeballs that makes the requester pick ipv4 or ipv6 based on which protocol gets a connection faster, which effectively makes the browser occasionally jump between ipv4 and ipv6.
https://en.wikipedia.org/wiki/Happy_Eyeballs

As this protocol is widely implemented using a feature like IP lock in its current form essentially breaks session handling and it does so in very unpredictable ways, since the ip address used may change whenever.

There are ways this could be mitigated:

- Eg. by locking ipv4 and ipv6 separately, and this could be a solution, but this adds some extra complexity.
- By disabling IPv6. Which is really a no-go...
- By disabling IP lock.

I understand what ip lock tries to do, but I would suggest that the internet has simply become too complex for such a simple security mechanism and the idea that a user only has one ip address (which may or may not be shared) is probably not coming back. I would suggest disabling IP lock by default or atleast warning about the implications especially with regards to IPv6.


Related issues

Related to TYPO3 Core - Task #88216: Remove lockIP option New 2019-04-26
Related to TYPO3 Core - Bug #90047: BUG with IP6 in IpLocker.php after protokoll switch ipv4 to ipv6 Resolved 2020-01-02

Associated revisions

Revision 6640925e (diff)
Added by Rasmus Larsen about 2 months ago

[BUGFIX] Disable lockIP by default

IPLock breaks modern IPv6 setups because of the Fast fallback
aka. Happy Eyeballs algorithm that can cause users to jump between
IPv4 and IPv6 arbitrarily.
Enabling lockIP should be a very conscious decision, not a default.

Resolves: #89869
Releases: master
Change-Id: I4b0fde1f767bfca613276d4763b91d9feb86ea27
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Tested-by: Markus Klein <>
Tested-by: TYPO3com <>
Tested-by: Georg Ringer <>
Tested-by: Alexander Schnitzler <>
Tested-by: Benni Mack <>
Reviewed-by: Markus Klein <>
Reviewed-by: Georg Ringer <>
Reviewed-by: Alexander Schnitzler <>
Reviewed-by: Oliver Bartsch <>
Reviewed-by: Benni Mack <>

History

#1 Updated by Rasmus Larsen about 2 months ago

#2 Updated by Markus Klein about 2 months ago

I fully agree. Wanna prepare a patch?

#3 Updated by Gerrit Code Review about 2 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#4 Updated by Gerrit Code Review about 2 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#5 Updated by Gerrit Code Review about 2 months ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62574

#6 Updated by Gerrit Code Review about 2 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62574

#7 Updated by Gerrit Code Review about 2 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62574

#8 Updated by Gerrit Code Review about 2 months ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#9 Updated by Gerrit Code Review about 2 months ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#10 Updated by Gerrit Code Review about 2 months ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#11 Updated by Gerrit Code Review about 2 months ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#12 Updated by Gerrit Code Review about 2 months ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#13 Updated by Gerrit Code Review about 2 months ago

Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#14 Updated by Gerrit Code Review about 2 months ago

Patch set 9 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#15 Updated by Gerrit Code Review about 2 months ago

Patch set 10 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#16 Updated by Gerrit Code Review about 2 months ago

Patch set 11 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559

#17 Updated by Rasmus Larsen about 2 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#18 Updated by Benni Mack about 1 month ago

  • Status changed from Resolved to Closed

#19 Updated by Markus Klein 12 days ago

  • Related to Bug #90047: BUG with IP6 in IpLocker.php after protokoll switch ipv4 to ipv6 added

Also available in: Atom PDF