Send notifications when new devices are used to log in into the site
Description
Testing Instructions
Prerequisite
MailHog or similar tool to capture emails coming out from Moodle
The Moodle mobile app installed
Tests should be performed using the Chrome or Firefox incognito mode (instructions are for Chrome)
Test notifications are not sent when using the same browser and changing IP
Open a new browser in incognito mode (do not close it until the end of this test)
Login to the Moodle site
Logout but keep the incognito browser open
Set a false IP for the user you just used: UPDATE `mdl_user` SET `lastip` = '1:2:3:4:5:6:7:1' WHERE `mdl_user`.`id` = YOUR_USER_ID;
Login again in the same incognito browser
Inspect your database, table mdl_task_adhoc and confirm that:
The table is empty (there are not notification tasks scheduled)
# Close the browser
Test notifications are not sent when using same IP but a different browser
Open a new browser in incognito mode
Login to the Moodle site
Logout
Remove the MoodleSession cookie (using the browser developer tools -> Application -> Cookies) and close the incognito browser instance
Open again a browser instance in incognito mode
Login again
Inspect your database, table mdl_task_adhoc and confirm that:
The table is empty (there are not notification tasks scheduled)
# Close the browser
Test notifications are sent when using a new browser and different IP
Open a new browser in incognito mode
Login to the Moodle site
Logout
Set a false IP for the user you just used: UPDATE `mdl_user` SET `lastip` = '1:2:3:4:5:6:7:1' WHERE `mdl_user`.`id` = YOUR_USER_ID;
Remove the MoodleSession cookie and close the browser instance
Open again the browser in incognito mode
Login again
Inspect your database, table mdl_task_adhoc and confirm that:
The table is NO empty
#* There is an scheduled task: \core\task\send_login_notifications
Open a terminal and run the Moodle site cron (php admin/cli/cron.php)
Confirm that:
The student has received an email via MailHog indicating that there is a new sign in into your site account
Please note that before performing these tests, you need to check that you are assigned the same public IP in all your devices (computer and phone)
Mobile: Notification sent new device and different IP
# Fresh install the Moodle app on a mobile device
# Login to the Moodle site
Inspect your database, table mdl_task_adhoc and confirm that:
The table is NO empty
#* There is an scheduled task: \core\task\send_login_notifications
Wait two minutes (because the ad-hoc task is scheduled)
Open a terminal and run the Moodle site cron (php admin/cli/cron.php)
Confirm that:
The student has received an email via MailHog indicating that there is a new sign in into your site account including an UserAgent that is the same you can check in the Mobile app settings -> About -> Device info -> Navigator userAgent
Inspect your database again, reload the contents of table mdl_task_adhoc and confirm that:
The table is empty
Mobile: Notification not sent in new login
Click the option "Change site" in the more menu in the mobile app (three vertical lines) to quit the site
# Login to the Moodle site again using the + icon at the bottom right (you will be asked again to enter your site URL username and password)Inspect your database, table mdl_task_adhoc and confirm that:
The table is empty
Mobile: Notification not sent in new login with same device and different IP
Click the option "Change site" in the more menu in the app (three vertical lines) to quit the site
Set a false IP for the user you just used: UPDATE `mdl_user` SET `lastip` = '1:2:3:4:5:6:7:1' WHERE `mdl_user`.`id` = YOUR_USER_ID; OR alternatively connect your phone to a different network so you get a different IP assigned
# Login to the Moodle site again using the + icon at the bottom right (you will be asked again to enter your site URL username and password)Inspect your database, table mdl_task_adhoc and confirm that:
The table is NOT empty
Wait two minutes (because the ad-hoc task is scheduled)
Open a terminal and run the Moodle site cron (php admin/cli/cron.php)
Confirm that:
You don't receive any notification
Inspect your database, table mdl_task_adhoc and confirm that:
The table is empty
Automated test results
Pre-check results
Workaround
Attachments
caused a regression
has a non-specific relationship to
has been marked as being related by
Activity
Removing docs_required label as this has been documented as has the method of disabling the notification https://docs.moodle.org/en/Site_notifications#How_to_remove_.22New_sign_in_to_your_account.22_notification
Dear All,
Is there a way to disable this notification from admin panel?
Thanks
Jaswant
I just found this and excited as this has been on our radar for a while - I've made https://moodle.atlassian.net/browse/MDL-75342#icft=MDL-75342 to followup on hardening the security and improving it's ux generally.
Hi Juan Leyva,
I checked my emails. Since I have several user accounts on several devices under different IPs, I don't think this works for my case. Even if students work mobile with the browser and the IP address changes often, it won't work. I have now deactivated the function.
Thanks for your reply anyway and have a nice day!
Kind regards
Pit
Hi Peter,
at the end of the description of this issue, you'll find a summary of the different use cases.
If still using the same browser you'll get the login notifications because something is going on in your browser, are you using always the incognito mode maybe? do you have any plugin that removes cookies?
Details
Details
Priority
Components
Assignee
Reporter
Peer reviewer
Integrator
Fix versions
Tester
Participants
Pull from Repository
Pull Main Diff URL
Pull Main Branch
Clockify
Start / Stop
Clockify

This issue is about generating notifications (user can always opt-out) about user logins from new devices.
As you know, this is commonly available on different platforms (Google, Netflix, etc...), it is a really nice security improvement.
The solution is very simple and it has been developed in a privacy-driven way, using existing data we already have for the user and avoiding fingerprinting our users.
How can we detect new devices?
For Moodle LMS (web): When we detect a new MoodleSession cookie is set and the most recent IP is not being used. This happens when the user is using a new browser or when he closed the browser session (restarted the computer for example) and he is connecting from a different IP than the last used to connect to Moodle.
I've done several tests and this works pretty well, considering that most of the computer uses do not close browsers (they just keep it open and suspend the computer) but even if they restart the computer, we will still check the last IP used (that should not change much unless you are using a mobile device)
For the Moodle app: This is a bit trickier because we can have users using the standard Moodle app, custom apps or webapps. Apart from that, the token can be valid for several months, so I only check when a new login is done.
In this case, I first check the IP address (we can't set cookies) and if it has changed then, if the user is using the official Moodle app or a BMA, I check if a new device was added to the table of known devices after login (user_devices), if so, it means it is a new device so only in that case I will send a notification.
To summarise:
LMS:
Existing MoodleSession cookie: Notification not sent
New MoodleSession cookie, same IP: Notification not sent
New MoodleSession cookie, different IP: Notification sent
App:
New login, same IP: Notification not sent
New login, different IP but known device: Notification not sent
New login, different IP and new device: Notification sent
The implementation is not perfect but is simple, avoid collecting new data (privacy safe) and it works for most cases. Furthermore, the user can always opt-out in his notifications preferences if this is annoying for them. Although, I forsee some organisations making this notification mandatory/forced for security purposes.
Message could be something like:
New login to your SITENAME account
_Hi XX,
we've noticed a new log-in with your MOODLE SITE NAME () account:
Device: Android
Location: Barcelona, Spain
IP:
Time: 19:20
If you didn't log-in, please, change your password and select the option "Logout from all my devices" in your Moodle site profile._