Store a list of IP addresses that accessed an account, notify user if a new address logged in #4490
Comments
|
notify as in e-mail or in-game notification? |
|
|
Implementing this approach could bolster the app's security.
And I have question here,Are notifications applicable to users with unverified email addresses? |
|
Not sure, maybe? But if thye havent verified that means the email might not even exist. |
|
or may be the user have not completed the verification step. |
|
@Miodec Do you find the proposed approach promising? If so, am I clear to proceed with its implementation? |
|
Yeah, sure |
|
@Shubham10102000 have you made any progress with this? The logic should be pretty simple, im just not sure where it could be implemented. |
|
I'm going to step in just for give my opinion, this should be opt-in aka turned off by yourself and user may let turn it on if he wants to do so, you know just to make more private folks happy. |
|
IP address are already accessible through log files. In general storing them is a gray area due to how little personal information they contain. An opt-out would be good but I dont see storing them by default to be a privacy concern. I would love to hear anybody else's opinion though since I am storing IP's on my own web app without informing the visitor, and I'm not sure if that is allowed. |
As long as you specify in your Privacy policy that you are storing user IP's, and the reason behind it - legally youre fine. As for the privacy behind storing IPs, in my opinion, having the increased security of being able to notify the user that their account is being accessed from somewhere else is a good trade off. |
|
@Miodec What is the server-side deployment strategy here ? Specifically, if Nginx is being used, will it require configuration to obtain the public IP address in the express app for tasks such as saving ip and other related actions? |
|
IPs can be grabbed from the headers, for example: |
How about this opt-out just removing the IP checking part? So every time somebody logins into the account we send them an email with an IP, but don't store it for the user, who opted-out. We can probably implement that by just not storing the IPs of those who opted-out and the rest of the logic is the same. |
|
Hey @Miodec, I can see that you have stored the ip address but what about the notification? |
|
Ill be adding the email soon. Just testing the code in a production environment. |
|
@monkeytypegeorge this is outrageous with so many reasons let me give you a SMALL list why Privacy: Users might not want their IP addresses stored without permission. |
No description provided.
The text was updated successfully, but these errors were encountered: