Skip to content

[Request] Allow locking session to IP address #4670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Roardom opened this issue Apr 21, 2025 · 0 comments
Open

[Request] Allow locking session to IP address #4670

Roardom opened this issue Apr 21, 2025 · 0 comments
Labels
Request

Comments

@Roardom
Copy link
Collaborator

Roardom commented Apr 21, 2025

Add a user setting that by default requires all sessions to be locked to the IP address.

On the 2fa code input page after signing in, if this user setting is enabled, then show a tick box that allows not locking the session to the IP. There can be a message describing how it's less secure and is only useful for mobile devices that change IP frequently.

This means that a user has to do the following to allow not having session locked to ip:

  • Have 2fa enabled
  • Enabled the user setting
  • Ticked the box after signing in

The IP can be stored encrypted in the user's browser cookies and not saved in the redis session stored on the server. Middleware can decrypt it every request and log the user out of that session if their IP changes. Additionally send the user a system message saying their account was attempted to be logged into via an existing cookie session using an unknown IP.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Roardom