>>>http://bugzilla.mozilla.org/show_bug.cgi?id=20122 >>>So long actually that I didn't read it :-) >> >>Read it. Basically its just a security measure against a cookie stealing >>attack. Bugzilla accepts attachments from basically anyone, and serves them up to you. An HTML attachment with a script could easily steal your cookies when you viewed it. Restricting to a single IP means that the login cookie is useless to the thief. >>There is a patch for this case attached to the bugreport but it doesn't >>seem to be optimal. at least not clean enough for committing it. bbaetz is still working on it, but he's very busy. The current patch didn't get review, and it'll have rotted a fair bit by now. A refreshed patch submitted by someone from the KDE project would be very welcome. I'd go for the SQWebmail solution - a "restrict to your IP address" option on the login screen, checked by default. Unchecking it allows any IP in your Class C to use your cookie. Optionally, the size of the class could be admin-configurable. I think bbaetz' patch is along these lines. > Right. My fix would be to put the IP in the cookie path. That would solve > the actual problem that your cookie for IP A goes away as soon as IP B > appears. Of course you still had to relogin on IP change. Er... so how does that fix anything, then? :-) The idea is to not have to relogin on IP change. Gerv