Feature #14265
closed
Option to invalidate GUI login session if the client address changes
100%
Description
Currently once the user logs in, their session is valid even if the client source address changes. This allows the user to roam if they happen to change WANs (e.g. client behind multi-WAN load balancing, CGN, cell network, etc) or if they access by hostname and have to downgrade from IPv6 to IPv4. However, this behavior is less secure than invalidating the session if the client address changes, forcing the user to log back in if the address changes. This is largely moot for most users however as they should be accessing the firewall over a VPN or local management network and the address is less likely to change in those cases, making it safer to activate.
Having the option to enable this strict behavior would be good from a security standpoint, though I am hesitant to activate it by default given the potential for disruption.
Files
Updated by Christopher Cope 11 months ago
- Status changed from New to Pull Request Review
- Assignee set to Christopher Cope
Updated by Christopher Cope 10 months ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset d6078e851ade476b6e9190fd77b9a70eb3c7bb92.
Updated by Danilo Zrenjanin 10 months ago
I conducted a test on the commit, however, altering the client source IP address did not result in a connection break. I double-checked and ensured that the Roaming option was unchecked.
Please check.
Updated by Jim Pingle 10 months ago
I tested it multiple times on multiple clients and it always kicked me off. Are you sure the client address is changing from the perspective of the firewall? Check the client info displayed on the dashboard, it will show the username and client IP address there in the system info widget.
I used a client on LAN and changed its DHCP reservation and restarted networking on the client which ensured it moved to the new address, then tried to refresh the browser page. With roaming enabled I could keep accessing the GUI. With roaming disabled I was always kicked out to the login screen. The client may play a factor here as well since it has to move to a new address, using a static address might be a simpler test depending on the client OS. I used a Linux client where it was a pretty simple off/on toggle of the interface networking to make it pick up the address change.
Updated by Danilo Zrenjanin 10 months ago
- Status changed from Feedback to Resolved
I've just tested again applying the patch on a clean install. It works as expected.
Tested against:
2.7.0-RELEASE (amd64) built on Wed Jun 28 03:53:34 UTC 2023 FreeBSD 14.0-CURRENT
I am marking this ticket resovled.
Updated by Jim Pingle 8 months ago
- Target version changed from CE-Next to 2.8.0
- Plus Target Version changed from Plus-Next to 23.09