Bug #89869
closed
IP Lock feature broken by modern IPv6 - Should be disabled by default or refactored
100%
Description
Typo3 ships, by default, with IP locking on its session, which locks frontend and backend sessions to the initial IP it came from.
While this feature can, in some scenarios, protect against session theft, eg. cases where an attacked gains access to the session information, but does not have full access to the victims IP.
Unfortunately this feature completely breaks setups using IPv6 as it's used. This is because of the "fast-fallback" or so-called Happy-eyeballs that makes the requester pick ipv4 or ipv6 based on which protocol gets a connection faster, which effectively makes the browser occasionally jump between ipv4 and ipv6.
https://en.wikipedia.org/wiki/Happy_Eyeballs
As this protocol is widely implemented using a feature like IP lock in its current form essentially breaks session handling and it does so in very unpredictable ways, since the ip address used may change whenever.
There are ways this could be mitigated:
- Eg. by locking ipv4 and ipv6 separately, and this could be a solution, but this adds some extra complexity.
- By disabling IPv6. Which is really a no-go...
- By disabling IP lock.
I understand what ip lock tries to do, but I would suggest that the internet has simply become too complex for such a simple security mechanism and the idea that a user only has one ip address (which may or may not be shared) is probably not coming back. I would suggest disabling IP lock by default or atleast warning about the implications especially with regards to IPv6.
Updated by Rasmus Larsen almost 5 years ago
- Related to Task #88216: Remove lockIP option added
Updated by Markus Klein almost 5 years ago
I fully agree. Wanna prepare a patch?
Updated by Gerrit Code Review almost 5 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Gerrit Code Review almost 5 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Gerrit Code Review almost 5 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62574
Updated by Gerrit Code Review almost 5 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62574
Updated by Gerrit Code Review almost 5 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62574
Updated by Gerrit Code Review almost 5 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Gerrit Code Review almost 5 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Gerrit Code Review almost 5 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Gerrit Code Review almost 5 years ago
Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Gerrit Code Review almost 5 years ago
Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Gerrit Code Review almost 5 years ago
Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Gerrit Code Review almost 5 years ago
Patch set 9 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Gerrit Code Review almost 5 years ago
Patch set 10 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Gerrit Code Review almost 5 years ago
Patch set 11 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62559
Updated by Rasmus Larsen almost 5 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 6640925eb0ebeffd95c2b8f8922fc284d1413a12.
Updated by Benni Mack almost 5 years ago
- Status changed from Resolved to Closed
Updated by Markus Klein almost 5 years ago
- Related to Bug #90047: BUG with IP6 in IpLocker.php after protokoll switch ipv4 to ipv6 added