We're batting around the idea of checking the IP persistently across the entire session. The argument is mostly around session-hijacking, roaming laptops, etc.

As it would cause an extra call for admins with every page, it's more aggressive than some might care for, so the option.

It'd be something kind of like this for xxx.module:

+ if ($user -> uid > 0 && variable_get('restrict_by_ip_persistent', 'no') == 'yes')
+ return _restrict_by_ip_login($user);

Comments

james.wilson’s picture

james.wilson commented
Status: Active » Closed (fixed)

This has been completed in 6.x-3.x version. IP is persistently checked to ensure no stale session data gives access.