View Ticket
Not logged in
Ticket UUID: 6c68067abb19bad2b1c548f91fc928975a9815c6
Title: Request an option to allow cookies to not rely on IP address
Status: Open Type: Feature_Request
Severity: Minor Priority:
Subsystem: Resolution: Open
Last Modified: 2010-03-03 01:06:57
Version Found In:
Description & Comments:
Those of us on non-static-IP DSL or cable connection have our IP addresses changed periodically (sometimes as often as every day). As a result, our Fossil login cookies become invalid, which is very annoying.

If it is not desirable to generally allow non-IP-based cookies, it would be nice to at least have an option to permit them for those of us who would like to manage our repositories and cookies differently.

N.B. -- this issue also affects those of us who log in from different locations (something I do almost every day)


anonymous claiming to be Ross Berteig added on 2010-03-03 01:06:57:
See this message to fossil-users from Kyle McKay describing one (largely untested) quick hack to get this effect. I plan to play with this a little myself since I would like to not loose sessions when working with tickets on my internal server over a VPN from home.

The big web community sites do this (e.g. facebook, Yahoo, Google) and don't seem to be hugely worried about security issues so it must be possible to achieve. Whether it is practical to achieve and still maintain "enough" security is not obvious to me.