STR: 1. Log out of Bugzilla, if logged in. 2. Go to https://bugzilla.mozilla.org/auth.cgi. 3. Log in, ensuring "Restrict this session to this IP address" is checked. 4. Go to https://bugzilla.mozilla.org/userprefs.cgi?tab=sessions Expected: The most recent session entry has "IP Restriction" set to "Restricted". Actual: The session is listed as "Unrestricted". Not sure if this is a bug in the table or the login, although I have seen the IP Restriction set to "Restricted" before (not entirely sure how I got that, though).
This also happens with https://bugzilla.mozilla.org/index.cgi?GoAheadAndLogIn=1.
The input parameter Bugzilla_restrictlogin is not passed when 2FA is enabled. There are two ways to fix this, as I see it: - thread Bugzilla_restrictlogin into template/en/default/mfa/totp/verify.html.tmpl with a hidden field - implement session storage (which would require non-logged-in user session storage, not just logincookies session storage)
i'll fix this as part of bug 1199087 - i already need to carry state through the 2fa request.
Assignee: nobody → glob
Depends on: 1199087
Summary: Restricting session to IP address does not appear to work → Restricting session to IP address does not work if 2FA is required
fixed by bug 1199087
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.