Skip to content

Add cookie to known sign in check

Drew Blessing requested to merge dblessing_known_sign_in_jwt into master

What does this MR do?

Related to #218692 (closed)

Previously GitLab only validated a user's remote IP address when checking if the sign in was known. This adds an encrypted cookie with an expiry. An unknown sign in email will only be sent if neither the remote IP nor the cookie can be validated. This should dramatically reduce the number of unknown sign in emails since many users use the same browser even when their IP address might fluctuate.

This uses the builtin Rails encrypted cookies. Based on my understanding of the PR that added the encrypted cookie expiry feature (https://github.com/rails/rails/pull/30121) this is secure against cookie replay after expiration. The cookie expiration is not only set on the cookie itself such that the browser will expire the cookie and no longer present it after expiration, but if the cookie expiration is tampered with Rails will invalidate the cookie because the expiration value is also encrypted in the cookie value. In this regard, the implementation should be safe. EDIT: See !34102 (comment 357569212) for discussion with the security team on this implementation. TL;DR - They agree it's a secure implementation.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by 🤖 GitLab Bot 🤖

Merge request reports