IP Address Security Issue
Posted
#10271
(In Topic #3539)

Standard member

If your ip address changes, you could be locked out
Hello,I ran into an interesting issue. I went to log into my v11 website today and it said that my ip address had changed and wasn't confirmed so I should get an email etc etc. Of course, I didn't get an email (that is probably an issue on my end, will test that out later). Anyways, that meant I could not go into my site. Luckily I know how to work with databases so I simply updated my IP address that way, but this could be an issue with some people. Many internet companies give you dynamic IP addresses that will change over time after all.
I am curious if it is tied to this option:
Enforce IP addresses for sessions
I have disabled it for now. Is this a bug?
Like ocPortal? Want to thank Chris and gang somehow? Then help out in the chat room! It really needs your help! Just open it in a tab everytime you open your web browser, and when you hear a "ding", check it out!
"Those who want help should first be willing to give help."
Posted

Site director

That could be part of the problem, but that's not directly the setting responsible.
"Enforce IP addresses for sessions" means that sessions are tied to your full IP address. When disabled, it is only tied to the first three octaves (e.g. 127.0.0.*) so if the last octave changes, your session will still be valid.
The setting directly responsible for e-mail two-factor is "Enquire on new IPs", which is a usergroup-specific setting (edit a usergroup and go under Security).
This might get enabled by default depending on the security level you selected for the setup wizard. For minimum and low, it is not enabled for anyone. For medium, it is enabled for super-administrators. For high and Ultimate, it is enabled for super-administrators and super-moderators.
It's not a bug; it's doing as intended for security. But if you have any ideas on how to improve this without compromising security, please let me know.
- Need support for version 10? The core development team is no-longer offering it for free (unless it's a critical bug that breaks your entire site or a serious security hole). Please consider hiring me instead if you need v10 support or a non-critical bug fix. Or, ask the community in the forums!
- Do you enjoy Composr? Please consider contributing your talent to the project or recommending Composr to others. Even small contributions make a big impact in the Composr community.
- Do you have feedback for us? You can report bugs, suggest features, or give feedback on the Free support options page.
- Do you need professional service with your Composr website? Please consider contracting me for your needs through my company, PDStig, LLC. Doing so will also help fund Composr development.
- Want to watch live streams of me developing Composr CMS? Please subscribe to me on Twitch to be notified when I stream. Composr development streams are usually spontaneous / not scheduled in advance as work priorities come first.
1 guest and 0 members have just viewed this.