Project

General

Profile

Actions

Feature #14265

closed

Option to invalidate GUI login session if the client address changes

Added by Jim Pingle about 1 year ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Category:
Authentication
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default

Description

Currently once the user logs in, their session is valid even if the client source address changes. This allows the user to roam if they happen to change WANs (e.g. client behind multi-WAN load balancing, CGN, cell network, etc) or if they access by hostname and have to downgrade from IPv6 to IPv4. However, this behavior is less secure than invalidating the session if the client address changes, forcing the user to log back in if the address changes. This is largely moot for most users however as they should be accessing the firewall over a VPN or local management network and the address is less likely to change in those cases, making it safer to activate.

Having the option to enable this strict behavior would be good from a security standpoint, though I am hesitant to activate it by default given the potential for disruption.


Files

clipboard-202307061029-d4yab.png (16 KB) clipboard-202307061029-d4yab.png Danilo Zrenjanin, 07/06/2023 08:29 AM
Actions #1

Updated by Jim Pingle about 1 year ago

  • Description updated (diff)
Actions #2

Updated by Christopher Cope 11 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Christopher Cope
Actions #3

Updated by Christopher Cope 10 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Danilo Zrenjanin 10 months ago

I conducted a test on the commit, however, altering the client source IP address did not result in a connection break. I double-checked and ensured that the Roaming option was unchecked.

Please check.

Actions #5

Updated by Jim Pingle 10 months ago

I tested it multiple times on multiple clients and it always kicked me off. Are you sure the client address is changing from the perspective of the firewall? Check the client info displayed on the dashboard, it will show the username and client IP address there in the system info widget.

I used a client on LAN and changed its DHCP reservation and restarted networking on the client which ensured it moved to the new address, then tried to refresh the browser page. With roaming enabled I could keep accessing the GUI. With roaming disabled I was always kicked out to the login screen. The client may play a factor here as well since it has to move to a new address, using a static address might be a simpler test depending on the client OS. I used a Linux client where it was a pretty simple off/on toggle of the interface networking to make it pick up the address change.

Actions #6

Updated by Danilo Zrenjanin 9 months ago

  • Status changed from Feedback to Resolved

I've just tested again applying the patch on a clean install. It works as expected.

Tested against:

2.7.0-RELEASE (amd64)
built on Wed Jun 28 03:53:34 UTC 2023
FreeBSD 14.0-CURRENT

I am marking this ticket resovled.

Actions #7

Updated by Jim Pingle 7 months ago

  • Target version changed from CE-Next to 2.8.0
  • Plus Target Version changed from Plus-Next to 23.09
Actions #8

Updated by Jim Pingle 6 months ago

  • Target version changed from 2.8.0 to 2.7.1
Actions

Also available in: Atom PDF