Closed weilandia closed 3 years ago
Not the remote_addr
at least as there are no guarantees that a mobile device for example will keep the same IP when switching towers or whatever.
User Agent could maybe but what if the user upgrades their browser? Does that warrant a new session?
Up to you.
Thanks for the response. What is the purpose of having these fields on the model?
I included them so one could use them for tracking suspicious behaviour. I'm not sure I should've as most apps will never have enough traction to see this while not being able to add it themselves. At the same time it adds likely unnecessary PII to the database that you have to handle appropriately which you might not know or want to know 🤷♂️
Thanks for the explanation!
Currently I don't see the remote_addr or user_agent stored on the Session record being used (though I might have missed it). Could one of these be used in the Session lookup to prevent token reuse on different devices?