Restricting session to IP address does not work if 2FA is required

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
General
P1
normal
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: mcote, Assigned: glob)

Tracking

Production

Details

(Reporter)

Description

3 years ago
STR:

1. Log out of Bugzilla, if logged in.
2. Go to https://bugzilla.mozilla.org/auth.cgi.
3. Log in, ensuring "Restrict this session to this IP address" is checked.
4. Go to https://bugzilla.mozilla.org/userprefs.cgi?tab=sessions

Expected:

The most recent session entry has "IP Restriction" set to "Restricted".

Actual:

The session is listed as "Unrestricted".

Not sure if this is a bug in the table or the login, although I have seen the IP Restriction set to "Restricted" before (not entirely sure how I got that, though).
The input parameter Bugzilla_restrictlogin is not passed when 2FA is enabled.

There are two ways to fix this, as I see it:

- thread Bugzilla_restrictlogin into template/en/default/mfa/totp/verify.html.tmpl with a hidden field
- implement session storage (which would require non-logged-in user session storage, not just logincookies session storage)
(Assignee)

Comment 3

3 years ago
i'll fix this as part of bug 1199087 - i already need to carry state through the 2fa request.
Assignee: nobody → glob
Depends on: 1199087
(Assignee)

Updated

3 years ago
Summary: Restricting session to IP address does not appear to work → Restricting session to IP address does not work if 2FA is required
(Assignee)

Comment 4

3 years ago
fixed by bug 1199087
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.