Closed Bug 1402894 Opened 4 years ago Closed 2 years ago
Remove "Restrict this session to this IP" option from login page
My IP address changes constantly as I commonly use cellular connections to access BMO, and the origin IP depends in part upon things like "cell towers" and "carrier whims". Additionally, I dual-home from both IPv4 and IPv6 at home and many random wireless networks around the area, some of which are slow to provision IPv4 but have instant IPv6. This results in me being constantly locked out of Bugzilla because a property of my network layer changed. So I request that y'all please uncheck the box by default.
As I understand it, this provides a security benefit to many people. I would hesitate to turn off the default unless it both fails to provide much security benefit to and inconveniences a large number of users.
I would accept "remember the state of this checkbox in my local browser's cookie store" in lieu of a change to the default, since that would result in the expected behavior (remember my preference for this preference) in each of the browsers I use.
I’m not expecting to see further activity on this request. Closing to save triage team the need to do so later.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
we should uncheck this by default, and also hide it to mobile users at the least. I think it's still valuable for a population of users.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
The “Restrict this session to this IP address” checkbox is only on the login page, and it doesn’t exist on the mini login widget on the global header. So I guess most people are _not_ using it anyway? Removing the checkbox shouldn’t be a problem then.
I would also accept "uncheck by default" as a cookie preference that isn't wiped at logout.
Also: * 2FA has been enabled as a security measure * GitHub auth doesn’t enable the restriction, UUIC
Is it possible to query what proportion of non-expired session users have limited to a single IP?
:dylan could answer that question.
Unrestricted: 3385 Restricted: 754
So, only 18% of currently logged-in users(?) are using the option? Then it’s safe to remove it.
Assignee: nobody → kohei.yoshino
Status: REOPENED → NEW
Summary: Please uncheck "Restrict this session to this IP" checkbox by default → Remove "Restrict this session to this IP" option from login page
Status: ASSIGNED → RESOLVED
Closed: 3 years ago → 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.