Suspicious login notification
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
KARL4 |
Fix Released
|
High
|
Carlos de la Guardia |
Bug Description
tl;dr If a username is logged into from a "strange" place, send the user an email.
Users have a primary browser on a primary computer. Occasionally they'll login from their home computer or phone. Far less occasionally, they'll login from some random browers/computer (Internet cafe, etc.)
If a login is hijacked, it will be used in a completely new browser/computer. The user should be emailed that their login is being used from a new "device" (browser+computer combination.)
Specs
- When someone logs in, set a persistent, random cookie that identifies that "device" (browser+computer)
- If they login again, we'll get the cookie and know that they are from a "trusted" device
- If they login again and there's no cookie (including the very next login after we roll this out), they'll get an email
- If for some reason they lose the cookie, we'll treat that login as if it was from an untrusted device
Changed in karl4: | |
status: | New → In Progress |
Changed in karl4: | |
status: | Fix Committed → Fix Released |
Nat, can you provide the text that you'd like to send out in the email, and also confirm the writeup on this?
Carlos, this takes precedence over bug work.