Login Security issueshttps://lab.civicrm.org/extensions/loginsecurity/-/issues2021-09-24T21:34:22Zhttps://lab.civicrm.org/extensions/loginsecurity/-/issues/1Notifications for only "new" devices should be more flexible2021-09-24T21:34:22ZbgmNotifications for only "new" devices should be more flexibleCurrently if an admin configures the extension to notify only for new devices, it checks whether the IP is known. The browser fingerprint is also checked if available, but usually during login the fingerprint is not yet known (it gets ch...Currently if an admin configures the extension to notify only for new devices, it checks whether the IP is known. The browser fingerprint is also checked if available, but usually during login the fingerprint is not yet known (it gets checked in JS and sent back by an ajax call).
1. IP addresses, especially on IPv6 (privacy extensions), but also on IPv4, can change often in a given range.
2. It would be good to take the browser fingerprint into consideration
3. If enabled, we could take into consideration the geolookup data (we might need to cache it, for faster checks).
If we want to implement (2) in particular, we need to find a way to send the notification after the fingerprint is obtained, which might require redirecting to a verification page, then back, because the browser could block the ajax call as a notification bypass.
For (1), I would wait to see if it's really a problem. Most folks are on IPv4, which includes a lot of CG-NAT, so maybe IPs do not change so often.bgmbgm