Project

General

Profile

Actions

Bug #89869

closed

IP Lock feature broken by modern IPv6 - Should be disabled by default or refactored

Added by Rasmus Larsen over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Authentication
Start date:
2019-12-06
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
7.3
Tags:
ipv6, ipv4, sessions
Complexity:
Is Regression:
Sprint Focus:

Description

Typo3 ships, by default, with IP locking on its session, which locks frontend and backend sessions to the initial IP it came from.
While this feature can, in some scenarios, protect against session theft, eg. cases where an attacked gains access to the session information, but does not have full access to the victims IP.

Unfortunately this feature completely breaks setups using IPv6 as it's used. This is because of the "fast-fallback" or so-called Happy-eyeballs that makes the requester pick ipv4 or ipv6 based on which protocol gets a connection faster, which effectively makes the browser occasionally jump between ipv4 and ipv6.
https://en.wikipedia.org/wiki/Happy_Eyeballs

As this protocol is widely implemented using a feature like IP lock in its current form essentially breaks session handling and it does so in very unpredictable ways, since the ip address used may change whenever.

There are ways this could be mitigated:

- Eg. by locking ipv4 and ipv6 separately, and this could be a solution, but this adds some extra complexity.
- By disabling IPv6. Which is really a no-go...
- By disabling IP lock.

I understand what ip lock tries to do, but I would suggest that the internet has simply become too complex for such a simple security mechanism and the idea that a user only has one ip address (which may or may not be shared) is probably not coming back. I would suggest disabling IP lock by default or atleast warning about the implications especially with regards to IPv6.


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Task #88216: Remove lockIP optionClosed2019-04-26

Actions
Related to TYPO3 Core - Bug #90047: BUG with IP6 in IpLocker.php after protokoll switch ipv4 to ipv6Closed2020-01-02

Actions
Actions

Also available in: Atom PDF