Bug #89869
closed
IP Lock feature broken by modern IPv6 - Should be disabled by default or refactored
100%
Description
Typo3 ships, by default, with IP locking on its session, which locks frontend and backend sessions to the initial IP it came from.
While this feature can, in some scenarios, protect against session theft, eg. cases where an attacked gains access to the session information, but does not have full access to the victims IP.
Unfortunately this feature completely breaks setups using IPv6 as it's used. This is because of the "fast-fallback" or so-called Happy-eyeballs that makes the requester pick ipv4 or ipv6 based on which protocol gets a connection faster, which effectively makes the browser occasionally jump between ipv4 and ipv6.
https://en.wikipedia.org/wiki/Happy_Eyeballs
As this protocol is widely implemented using a feature like IP lock in its current form essentially breaks session handling and it does so in very unpredictable ways, since the ip address used may change whenever.
There are ways this could be mitigated:
- Eg. by locking ipv4 and ipv6 separately, and this could be a solution, but this adds some extra complexity.
- By disabling IPv6. Which is really a no-go...
- By disabling IP lock.
I understand what ip lock tries to do, but I would suggest that the internet has simply become too complex for such a simple security mechanism and the idea that a user only has one ip address (which may or may not be shared) is probably not coming back. I would suggest disabling IP lock by default or atleast warning about the implications especially with regards to IPv6.
Updated by 
Updated by 
Updated by 
Updated by