Hi Nala! I have a question regarding this IP check.
Does this mean that both, the IP address and (logical and) the cookie need to be correct, or is it an inclusive logical or? I sometimes find myself switching location of the server of the VPN I am using. In such a case, would I still be logged in, based on the correct cookie, or would I be logged out, because my IP address does not match my previous address? Regards, Zelphir On 10/24/19 4:15 PM, Nala Ginrut wrote: > On Thu, Oct 24, 2019 at 8:30 PM pelzflorian (Florian Pelz) < > pelzflor...@pelzflorian.de> wrote: > >> Because of login CSRF the Referer header should also be verified for >> all links internal to the website (external links should strip the >> Referer header via redirect pages similar to what the code attached to >> this mail does). >> >> I do not know what Artanis does currently. I will check next week. >> >> > The current Artanis will check both session token (from cookies) and the > client IP. > This method was blamed to be overkilled because some users may be in the > same LAN with a unique external IP. > But I think IPv6 will cover this world finally, so I think this would be > the best way to go. > Of course, there's no conflict to add extra verification token. Patches or > proposals are welcome. ;-) > > Best regards.