Add encrypted cookie to supplement IP address matching for known sign ins
Due to the edge cases surrounding IP address matching we will add an encrypted cookie as the next iteration for the known sign in feature. For IPv6 we would have to do a partial match, which may reduce security. This also doesn't fix the problem for cases like VPNs or other scenarios where the IP address changes for each session.
If either the cookie exist or the IP addresses match, an unknown sign in email will not be sent. This still may not solve the problem for all users. A commenter noted that Tor users may not accept cookies so it may not help those users.
Original description
Summary
It seems that since the move to CloudFlare, we are getting an increase in customer contact regarding Unknown Sign-In
emails. Based on our documentation, we should be comparing the IP address of the last sign-in with the latest sign-in and then sending an email if they don't match.
However, IPv6 addresses appear to be matching differently. The last 4 blocks in an IPv6 address change more frequently, and we appear to be doing some sort of regex matching that is causing more frequent Unknown Sign-In
emails.
Steps to reproduce
Not all users are able to reproduce. You can try to log out and sign-in repetitively and take note if you receive an email.
What is the current bug behavior?
An unknown sign-in email is sent every time you are logging in from the same location.
What is the expected correct behavior?
An unknown sign-in email should only be sent when there is a clear mismatch of IP addresses.
Output of checks
This happens on GitLab.com
Zendesk Tickets (Internal)
Availability & Testing
We would need to update existing unit tests to account for the following cases:
Send email when:
- Device is known and ip address is not known.
- Device is not know and ip address is known.
- Device and ip address is not known.
- Device is known and ip address is know but the cookie holding the device information has past expiration date.
Do not send email when:
- Device is known and ip address is known.
Unit tests would suffice for covering the above cases. No end-to-end tests would be needed.