Closed komuw closed 9 months ago
Attention: 19 lines
in your changes are missing coverage. Please review.
Comparison is base (
e2b861f
) 0.00% compared to head (edeb7e9
) 73.52%.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Previously when validating encrypted cookies, we would compare the IP address(and TLS fingerprint) in the coming request to the one in the cookie.
This meant that if someone moves from wifi internet to phone internet(as an example), their IP changes and thus their cookie/session would be invalid.
Since the feature is useful in trying to mitigate against replay attacks(see: https://github.com/komuw/ong/issues/144), we instead introduce functionality that would allow users of
ong
to set whatever value they want as their anti replay data.So someone could set the IP + geo-location of the request as the anti replay data, and if either of those change; the cookies are invalid.
Fixes: https://github.com/komuw/ong/issues/365