Closed Bug 1402894 Opened 7 years ago Closed 5 years ago

Remove "Restrict this session to this IP" option from login page


( :: General, task)

Not set





(Reporter: Atoll, Assigned: kohei)




(1 file)

My IP address changes constantly as I commonly use cellular connections to access BMO, and the origin IP depends in part upon things like "cell towers" and "carrier whims". Additionally, I dual-home from both IPv4 and IPv6 at home and many random wireless networks around the area, some of which are slow to provision IPv4 but have instant IPv6. This results in me being constantly locked out of Bugzilla because a property of my network layer changed.

So I request that y'all please uncheck the box by default.
As I understand it, this provides a security benefit to many people.  I would hesitate to turn off the default unless it both fails to provide much security benefit to and inconveniences a large number of users.
I would accept "remember the state of this checkbox in my local browser's cookie store" in lieu of a change to the default, since that would result in the expected behavior (remember my preference for this preference) in each of the browsers I use.
I’m not expecting to see further activity on this request. Closing to save triage team the need to do so later.
Closed: 6 years ago
Resolution: --- → WONTFIX
See Also: → 1491023
we should uncheck this by default, and also hide it to mobile users at the least. I think it's still valuable for a population of users.
Resolution: WONTFIX → ---
The “Restrict this session to this IP address” checkbox is only on the login page, and it doesn’t exist on the mini login widget on the global header. So I guess most people are _not_ using it anyway? Removing the checkbox shouldn’t be a problem then.
I would also accept "uncheck by default" as a cookie preference that isn't wiped at logout.

* 2FA has been enabled as a security measure
* GitHub auth doesn’t enable the restriction, UUIC
Is it possible to query what proportion of non-expired session users have limited to a single IP?
:dylan could answer that question.
Flags: needinfo?(dylan)
Unrestricted: 3385
Restricted: 754
Flags: needinfo?(dylan)
So, only 18% of currently logged-in users(?) are using the option? Then it’s safe to remove it.

This annoyed me today as I’m using my personal laptop both at home and in the office. Let’s move this forward.

Assignee: nobody → kohei.yoshino
Summary: Please uncheck "Restrict this session to this IP" checkbox by default → Remove "Restrict this session to this IP" option from login page
Attached file GitHub Pull Request

Basically, Bugzilla was designed in the pre-mobile and pre-laptop era. It assumed people were using a desktop workstation, even in the same office, according to a physical model attached to this HCI research conducted 10 years ago. We have to evolve to fit how people work, and we have to change how people work.

(In reply to Dylan Hardison [:dylan] (he/him) from comment #10)

Unrestricted: 3385
Restricted: 754

This is pretty significant to me given that you have to uncheck the box to get Unrestricted, which means 82% of BMO's users are actively unchecking it when they log in.

Unless the lack of the checkbox on the mini login widget is treated as "don't restrict" and "restrict" is only forced on you on the full login page.... in which case, why is it even there? :-)

I'm among those who uncheck the box every time because I get logged out constantly if I don't.

I don’t have any data but guess most people use the header’s mini login widget and keep signed in. Also, “Sign-In with GitHub” doesn’t enable the restriction as mentioned earlier. I somehow used the sign-in page yesterday then forced to sign out once I got home.

Merged to master.

Closed: 6 years ago5 years ago
Resolution: --- → FIXED
Type: enhancement → task
You need to log in before you can comment on or make changes to this bug.