Closed Bug 331531 Opened 19 years ago Closed 18 years ago

"Restrict this session to this IP address" login option is broken

Categories

(bugzilla.mozilla.org :: General, defect, P3)

Product:
bugzilla.mozilla.org
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bmo, Assigned: justdave)

References

Details

(Whiteboard: [blocker will fix])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 if i uncheck the "Restrict this session to this IP address" option when i log in to b.m.o, i still get prompted to log back in every time i come in from a different IP. at least this is what i assume is happening... in any case, my workplace now has a load balancer that sends connections out different ISPs and i now see this behavior. Reproducible: Sometimes Steps to Reproduce:
It's not a free reign unrestriction. Unchecking the box still restricts it to a class C subnet, it just doesn't restrict it to that specific IP. If your proxy servers aren't both in the same class C subnet on their external addresses then you're still going to get bit by this.
oh. well that explains it :) thanks! what does restricting to a class C really buy us? if the default is to restrict to one IP, anybody who consciously unchecks the box is presumably doing this for a reason. i'm accepting the risk that somebody else can steal my cookies and be an imposter. it's not like there isn't a huge audit trail. the way things are now is just driving me nuts and i don't think my network admin is violating any principles of good internet citizenship by having some of my connections go out through one ISP and some from another. thoughts?
Upgrading to 2.22 will let us completely unrestrict this without a lot of fear of cookies getting stolen. 2.20 and older use predictable session IDs, thus tying it to an IP address is the only reasonable security for it. 2.22 and up have randomized unique tokens for the session IDs.
Status: UNCONFIRMED → NEW
Depends on: 335151
Ever confirmed: true
Priority: -- → P3
Summary: "Restrict this sessionto this IP address" login option is broken → "Restrict this session to this IP address" login option is broken
Whiteboard: [blocker will fix]
Fixed as a result of the upgrade.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
QA Contact: myk → reed
Component: Bugzilla: Other b.m.o Issues → General
Product: mozilla.org → bugzilla.mozilla.org
You need to log in before you can comment on or make changes to this bug.