Remove "Restrict this session to this IP" option from login page

RESOLVED FIXED

Status

()

RESOLVED FIXED
2 years ago
a month ago

People

(Reporter: Atoll, Assigned: kohei)

Tracking

Production

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
My IP address changes constantly as I commonly use cellular connections to access BMO, and the origin IP depends in part upon things like "cell towers" and "carrier whims". Additionally, I dual-home from both IPv4 and IPv6 at home and many random wireless networks around the area, some of which are slow to provision IPv4 but have instant IPv6. This results in me being constantly locked out of Bugzilla because a property of my network layer changed.

So I request that y'all please uncheck the box by default.
As I understand it, this provides a security benefit to many people.  I would hesitate to turn off the default unless it both fails to provide much security benefit to and inconveniences a large number of users.
(Reporter)

Comment 2

2 years ago
I would accept "remember the state of this checkbox in my local browser's cookie store" in lieu of a change to the default, since that would result in the expected behavior (remember my preference for this preference) in each of the browsers I use.
(Reporter)

Comment 3

6 months ago
I’m not expecting to see further activity on this request. Closing to save triage team the need to do so later.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → WONTFIX
we should uncheck this by default, and also hide it to mobile users at the least. I think it's still valuable for a population of users.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
The “Restrict this session to this IP address” checkbox is only on the login page, and it doesn’t exist on the mini login widget on the global header. So I guess most people are _not_ using it anyway? Removing the checkbox shouldn’t be a problem then.
(Reporter)

Comment 6

6 months ago
I would also accept "uncheck by default" as a cookie preference that isn't wiped at logout.
Also: 

* 2FA has been enabled as a security measure
* GitHub auth doesn’t enable the restriction, UUIC
Is it possible to query what proportion of non-expired session users have limited to a single IP?
:dylan could answer that question.
Flags: needinfo?(dylan)
Unrestricted: 3385
Restricted: 754
Flags: needinfo?(dylan)
So, only 18% of currently logged-in users(?) are using the option? Then it’s safe to remove it.

This annoyed me today as I’m using my personal laptop both at home and in the office. Let’s move this forward.

Assignee: nobody → kohei.yoshino
Status: REOPENED → NEW
Summary: Please uncheck "Restrict this session to this IP" checkbox by default → Remove "Restrict this session to this IP" option from login page
Status: NEW → ASSIGNED

Basically, Bugzilla was designed in the pre-mobile and pre-laptop era. It assumed people were using a desktop workstation, even in the same office, according to a physical model attached to this HCI research conducted 10 years ago. We have to evolve to fit how people work, and we have to change how people work.

(In reply to Dylan Hardison [:dylan] (he/him) from comment #10)

Unrestricted: 3385
Restricted: 754

This is pretty significant to me given that you have to uncheck the box to get Unrestricted, which means 82% of BMO's users are actively unchecking it when they log in.

Unless the lack of the checkbox on the mini login widget is treated as "don't restrict" and "restrict" is only forced on you on the full login page.... in which case, why is it even there? :-)

I'm among those who uncheck the box every time because I get logged out constantly if I don't.

I don’t have any data but guess most people use the header’s mini login widget and keep signed in. Also, “Sign-In with GitHub” doesn’t enable the restriction as mentioned earlier. I somehow used the sign-in page yesterday then forced to sign out once I got home.

Merged to master.

Status: ASSIGNED → RESOLVED
Last Resolved: 6 months agoa month ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.