Remove "Restrict this session to this IP" option from login page
Categories
(bugzilla.mozilla.org :: General, task)
Tracking
()
People
(Reporter: Atoll, Assigned: kohei)
References
Details
Attachments
(1 file)
My IP address changes constantly as I commonly use cellular connections to access BMO, and the origin IP depends in part upon things like "cell towers" and "carrier whims". Additionally, I dual-home from both IPv4 and IPv6 at home and many random wireless networks around the area, some of which are slow to provision IPv4 but have instant IPv6. This results in me being constantly locked out of Bugzilla because a property of my network layer changed. So I request that y'all please uncheck the box by default.
Comment 1•7 years ago
|
||
As I understand it, this provides a security benefit to many people. I would hesitate to turn off the default unless it both fails to provide much security benefit to and inconveniences a large number of users.
I would accept "remember the state of this checkbox in my local browser's cookie store" in lieu of a change to the default, since that would result in the expected behavior (remember my preference for this preference) in each of the browsers I use.
I’m not expecting to see further activity on this request. Closing to save triage team the need to do so later.
Comment 4•6 years ago
|
||
we should uncheck this by default, and also hide it to mobile users at the least. I think it's still valuable for a population of users.
Assignee | ||
Comment 5•6 years ago
|
||
The “Restrict this session to this IP address” checkbox is only on the login page, and it doesn’t exist on the mini login widget on the global header. So I guess most people are _not_ using it anyway? Removing the checkbox shouldn’t be a problem then.
I would also accept "uncheck by default" as a cookie preference that isn't wiped at logout.
Assignee | ||
Comment 7•6 years ago
|
||
Also: * 2FA has been enabled as a security measure * GitHub auth doesn’t enable the restriction, UUIC
Comment 8•6 years ago
|
||
Is it possible to query what proportion of non-expired session users have limited to a single IP?
Assignee | ||
Comment 11•6 years ago
|
||
So, only 18% of currently logged-in users(?) are using the option? Then it’s safe to remove it.
Assignee | ||
Comment 12•5 years ago
•
|
||
This annoyed me today as I’m using my personal laptop both at home and in the office. Let’s move this forward.
Assignee | ||
Comment 13•5 years ago
|
||
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 14•5 years ago
|
||
Basically, Bugzilla was designed in the pre-mobile and pre-laptop era. It assumed people were using a desktop workstation, even in the same office, according to a physical model attached to this HCI research conducted 10 years ago. We have to evolve to fit how people work, and we have to change how people work.
Comment 15•5 years ago
|
||
(In reply to Dylan Hardison [:dylan] (he/him) from comment #10)
Unrestricted: 3385
Restricted: 754
This is pretty significant to me given that you have to uncheck the box to get Unrestricted, which means 82% of BMO's users are actively unchecking it when they log in.
Unless the lack of the checkbox on the mini login widget is treated as "don't restrict" and "restrict" is only forced on you on the full login page.... in which case, why is it even there? :-)
I'm among those who uncheck the box every time because I get logged out constantly if I don't.
Assignee | ||
Comment 16•5 years ago
|
||
I don’t have any data but guess most people use the header’s mini login widget and keep signed in. Also, “Sign-In with GitHub” doesn’t enable the restriction as mentioned earlier. I somehow used the sign-in page yesterday then forced to sign out once I got home.
Assignee | ||
Comment 17•5 years ago
|
||
Merged to master.
Assignee | ||
Updated•5 years ago
|
Description
•