Page MenuHomePhabricator
Create Task
Maniphest T395838

Consider using IP range instead of single IPs for LoginNotify
Open, Needs TriagePublicFeature
Actions

Description

Feature summary:

  • LoginNotify currently checks if a user recently used the wiki from the same device or IP address.
  • Consider checking for the same IP range instead of the IP address – at least the /64 range for IPv6, but ideally (larger) ranges for both IPv4 and IPv6.

Use cases:

  • With the recent changes to the EmailAuth configuration, the number of good faith editors being asked for a verification code during their login process has increased a lot (based on feedback from dewiki users, e.g. in these threads: 1, 2, 3, 4, 5).
  • Many users are affected because they are frequently deleting their cookies and their IP is changing frequently as well. While they could consider making an exemption for WMF cookies, some users don't want to make any exemptions (or don't know how to do that) due to privacy concerns (or low technical knowledge). This leads to frequent requests to enter a verification code which some perceive as annoying.
  • Looking for known IP ranges instead of just a known IP would mitigate those issues for good faith editors and make sure the feature primarily affects login attempts which are actually risky – it's unlikely that hackers are using the same IP range.
  • I've seen at least one user stating that he's removed his email in order to avoid the verification codes which is the opposite of what's intended with the new security feature.

Benefits:

  • Less good faith editors being annoyed about verification requests despite using their usual device and their usual IP range.
  • Higher acceptance of EmailAuth – avoid more users just removing their email in order to stop receiving verification requests.

Event Timeline

Johannnes89 created this task.Jun 2 2025, 7:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 2 2025, 7:03 PM
Tgr renamed this task from Consider using IP range instead of single IPs for EmailAuth to Consider using IP range instead of single IPs for LoginNotify.Jun 2 2025, 9:53 PM
Tgr added a project: MediaWiki-extensions-LoginNotify.
Tgr updated the task description. (Show Details)
Restricted Application added a project: Community-Tech. · View Herald TranscriptJun 2 2025, 9:53 PM
Tgr subscribed.Jun 2 2025, 9:55 PM

I thought we had a task for this already (the IPv6 /64 part at least) but can't find it.

I've seen at least one user stating that he's removed his email in order to avoid the verification codes which is the opposite of what's intended with the new security feature.

If you don't have an email address, you need to pass a captcha instead. Not sure if that's more convenient.

Johannnes89 added a comment.Jun 2 2025, 10:07 PM

Thanks for updating the task! Just to make sure there's no misunderstanding: I was talking about the verification codes introduced by https://www.mediawiki.org/wiki/Help:Extension:EmailAuth – is that LoginNotify?

Tgr added a comment.Jun 2 2025, 10:13 PM

LoginNotify determines whether the IP is known. Other extensions including EmailAuth rely on it.

kostajh added a comment.Jun 10 2025, 10:55 AM

Hmm. It looks like LoginNotify::getIPNetwork is already supposed to be returning the /24 or /64 network, which is then used for constructing the hash that's stored in the loginnotify_seen_net table:

	/**
	 * Get just network part of an IP (assuming /24 or /64)
	 *
	 * It would be nice if we could use IPUtils::getSubnet(), which also gets
	 * the /24 or /64 network in support of a similar use case, but its
	 * behaviour is broken for IPv6 addresses, returning the hex range start
	 * rather than the prefix. (T344963)
	 *
	 * @param string $ip Either IPv4 or IPv6 address
	 * @return string Just the network part (e.g. 127.0.0.)
	 */
	private function getIPNetwork( $ip ) {
AntiCompositeNumber subscribed.Jun 26 2025, 6:19 PM

An IPv6 /64 is likely too small for most mobile providers -- they tend to be significantly more dynamic than that.

DerHexer subscribed.Jun 26 2025, 6:20 PM
kostajh added a comment.Jun 26 2025, 6:39 PM
In T395838#10951810, @AntiCompositeNumber wrote:

An IPv6 /64 is likely too small for most mobile providers -- they tend to be significantly more dynamic than that.

Do you have a suggestion for what range we should consider for IPv6?

Johannnes89 added a comment.Aug 18 2025, 4:14 PM
In T395838#10951898, @kostajh wrote:
In T395838#10951810, @AntiCompositeNumber wrote:

An IPv6 /64 is likely too small for most mobile providers -- they tend to be significantly more dynamic than that.

Do you have a suggestion for what range we should consider for IPv6?

Something between /40 and /44 is what I typically encounter when performing CU, that seems like a typical range size for many good faith editors as well.

Tgr added a comment.Aug 19 2025, 9:09 AM

Could also limit allowing a larger subnet to the case when the user has used several different /64s in the last three months.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits