-
Improvement
-
Resolution: Fixed
-
Minor
-
3.7.2, 4.0
-
MOODLE_37_STABLE, MOODLE_400_STABLE
-
MOODLE_400_STABLE
-
MDL-66776-master -
This issue is about generating notifications (user can always opt-out) about user logins from new devices.
As you know, this is commonly available on different platforms (Google, Netflix, etc...), it is a really nice security improvement.
The solution is very simple and it has been developed in a privacy-driven way, using existing data we already have for the user and avoiding fingerprinting our users.
How can we detect new devices?
For Moodle LMS (web): When we detect a new MoodleSession cookie is set and the most recent IP is not being used. This happens when the user is using a new browser or when he closed the browser session (restarted the computer for example) and he is connecting from a different IP than the last used to connect to Moodle.
I've done several tests and this works pretty well, considering that most of the computer uses do not close browsers (they just keep it open and suspend the computer) but even if they restart the computer, we will still check the last IP used (that should not change much unless you are using a mobile device)
For the Moodle app: This is a bit trickier because we can have users using the standard Moodle app, custom apps or webapps. Apart from that, the token can be valid for several months, so I only check when a new login is done.
In this case, I first check the IP address (we can't set cookies) and if it has changed then, if the user is using the official Moodle app or a BMA, I check if a new device was added to the table of known devices after login (user_devices), if so, it means it is a new device so only in that case I will send a notification.
To summarise:
LMS:
Existing MoodleSession cookie: Notification not sent
New MoodleSession cookie, same IP: Notification not sent
New MoodleSession cookie, different IP: Notification sent
App:
New login, same IP: Notification not sent
New login, different IP but known device: Notification not sent
New login, different IP and new device: Notification sent
The implementation is not perfect but is simple, avoid collecting new data (privacy safe) and it works for most cases. Furthermore, the user can always opt-out in his notifications preferences if this is annoying for them. Although, I forsee some organisations making this notification mandatory/forced for security purposes.
Message could be something like:
New login to your SITENAME account
_Hi XX,
we've noticed a new log-in with your MOODLE SITE NAME () account:
Device: Android
Location: Barcelona, Spain
IP:
Time: 19:20
If you didn't log-in, please, change your password and select the option "Logout from all my devices" in your Moodle site profile._
- caused a regression
-
MDL-73391 Unit test failure in master branch undefined function external_generate_token_for_current_user
- Closed
- has a non-specific relationship to
-
MDL-74824 Custom change password URL is not included in login notification messages
- Closed
-
MDL-75342 Login from new IP email improvements
- Open
- has been marked as being related by
-
MDL-73558 Change password URLs and external authentication
- Open
-
MDL-75666 Identify same browser login by cookie instead of by IP
- Waiting for peer review
- is duplicated by
-
MDL-69298 Successful Login Notification to protect users from potential impersonation
- Closed