Using remote_addr or user_agent in session lookup

mikker / passwordless

🗝 Authentication for your Rails app without the icky-ness of passwords

MIT License

1.28k stars 88 forks source link

Using remote_addr or user_agent in session lookup #104

Closed weilandia closed 3 years ago

weilandia commented 3 years ago

Currently I don't see the remote_addr or user_agent stored on the Session record being used (though I might have missed it). Could one of these be used in the Session lookup to prevent token reuse on different devices?

mikker commented 3 years ago

Not the remote_addr at least as there are no guarantees that a mobile device for example will keep the same IP when switching towers or whatever.

User Agent could maybe but what if the user upgrades their browser? Does that warrant a new session?

Up to you.

weilandia commented 3 years ago

Thanks for the response. What is the purpose of having these fields on the model?

mikker commented 3 years ago

I included them so one could use them for tracking suspicious behaviour. I'm not sure I should've as most apps will never have enough traction to see this while not being able to add it themselves. At the same time it adds likely unnecessary PII to the database that you have to handle appropriately which you might not know or want to know 🤷‍♂️

weilandia commented 3 years ago

Thanks for the explanation!