Add cookie to known sign in check
What does this MR do?
Related to #218692 (closed)
Previously GitLab only validated a user's remote IP address when checking if the sign in was known. This adds an encrypted cookie with an expiry. An unknown sign in email will only be sent if neither the remote IP nor the cookie can be validated. This should dramatically reduce the number of unknown sign in emails since many users use the same browser even when their IP address might fluctuate.
This uses the builtin Rails encrypted cookies. Based on my understanding of the PR that added the encrypted cookie expiry feature (https://github.com/rails/rails/pull/30121) this is secure against cookie replay after expiration. The cookie expiration is not only set on the cookie itself such that the browser will expire the cookie and no longer present it after expiration, but if the cookie expiration is tampered with Rails will invalidate the cookie because the expiration value is also encrypted in the cookie value. In this regard, the implementation should be safe. EDIT: See !34102 (comment 357569212) for discussion with the security team on this implementation. TL;DR - They agree it's a secure implementation.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team