Users get logged off after a few minutes of activity

[martinburchell]

When logged in from the CPFT network, it's possible to get logged off again after a few minutes before the configured period of inactivity is up. This is because the connecting machine's IP address changes (possibly there is a load balancer somewhere along the line). I think we can't rely on a user's IP address to remain constant throughout a session.

We could make the IP check configurable (simple on/off) or try to do something more restrictive by only allowing IPs that match a subnet mask.

@RudolfCardinal what do you think?

[RudolfCardinal]

That surprised me, but that might just reflect my ignorance of how VPNs tend to work (or possibly it is the outside ISP).

The relevant code is CamcopsSession.get_session, which matches IP address via a database query.

I think the main question is whether this is a security concern. (I think the security vulnerability in principle is whether someone could steal a session ID/token pair and use it to log in from a different machine.)

IF IT IS:

I'm not sure. I'm guessing that your second option is a configuration option to allow users to describe their IP-hopping system, as in, "you can hop as long as you hop within a specified range") (e.g. something like PERMIT_CLIENT_IP_HOPPING_RANGES as a list with elements like "192.168.0.0/24"). That could generalize to "any hopping" if we allowed someone to specify "0.0.0.0/0". And the first would be a more simple boolean PERMIT_CLIENT_IP_HOPPING setting.

However, if we'd allowed this, I'm sure it's the sort of thing that would have been picked up by the penetration testing as undesirable. Should we (a) add this option for users who can't fix the problem, noting that it weakens security, and (b) ask the CPFT network/security team if they can stop this happening so we can continue with the more secure system? Or (b) first, for simplicity?

Do you think it's equally applicable to "human" and "client device" sessions, i.e. that both might "hop"?

IF IT ISN'T:

We could just remove the IP address check, full stop.

IS IT?

Several threads says IP address changing is perfectly normal, including because of load balancing or a client switching between mobile data and Wi-Fi:

• https://security.stackexchange.com/questions/220364/log-user-out-after-change-of-ip-address
• https://stackoverflow.com/questions/7550798/can-ip-change-during-session

(And also that "same IP address" can still mean "different computers", e.g. a home network sharing a single external IP address.)

Perhaps this was an overly conservative restriction!

[martinburchell]

From what I've read, if we're using HTTPS we're already making it harder to steal the session ID. Maybe it used to be more of a problem.

A user has raised a support ticket with the CPFT service desk asking why the IP address changes. Let's see what they say. If they can't do anything about it, I don't think it is acceptable for the user to be logged out at random on any given request.

Possible options:

• Get rid of the check
• On/off option to do the check. Turn it off where it causes problems
• Bind session ID with User Agent instead (can be faked but won't change for a single user)
• Assume session matches if IP address is nearly the same (matches configurable range)
• Use Geo IP database to catch wildly different addresses

We probably don't want to start building AI to detect anomalous behaviour. I don't think we need to cater for users switching between mobile networks on moving trains.