jboning
commented
10 years ago I am in favor of doing this. Definitely worth thinking carefully about before we make the change though
Closed Acidity closed 10 years ago
jboning
commented
10 years ago I am in favor of doing this. Definitely worth thinking carefully about before we make the change though
jboning
commented
10 years ago Merged two commits from this. I'm downright rejecting the session IP binding, a shared cookie is probably okay but I want to think about it as a separate PR :)
I'm submitting this to start a discussion on whether it'd be worthwhile and to raise any security concerns that it might cause. In particular, given that there have been reports of session issues with the forums, I want to make 100% certain that there would be no such issues with Core. Additionally, it might be worth making sessions expire when someone tries to use that session id from a different IP address, though this will cause shortened session times for those with dynamic IP addresses, or that switch the location of their computer often.