https://www.ory.sh/ logo
Join Slack
Powered by
<!here> we’re designing the API and data model for...
# talk-kratos
h
<!here> we’re designing the API and data model for managing additional session information (device, IP, location, …). We’re struggling a bit with the design and appreciate input. @high-leather-33936 is leading the effort! https://github.com/ory/kratos/pull/2715#issuecomment-1243533789 Thank you for your help
m
One small comment I would have is it might be less data stored/more usable to put LastSeen at the session level rather than the client level. Unless there’s a particular need to know when a particular combination of IP/UA/location/whatever was last seen.
h
Thank you! We’ll probably remove last_seen for now, because it doesn’t scale well if you write this for every time the session is validated
This was a common problem back in the day for PHPBB 😅
m
Yeah quite. When you had a whole process per request and 8 users
If you did want to implement a low-resolution version of it you could write it up to once per hour, but maybe that’s a separate enhancement for another PR.
h
Yeah, our thought as well. We still need to think about it in the design though
m
I’d still say if you do get to implementing it that it’s easier to calculate how long it’s been since you last wrote to it if you put it at the session level
But yeah, for another time.
r
I would be 👎 on IP address, or at least remove a digit to keep it gdpr-friendly 😉
@high-optician-2097 is this something kratos populates, or something I can annotate, or how would that work?
I guess a 
user-agent
is sufficient for me, then I just have to worry about setting one when I do an api call.
h
Hey, I wrote the IP derivation from the header's as part of the PR description. But here it is -
The priority sequence for Client IP derivation is -
• Cloudflare injected header - True-Client-IP
• Real IP header injected by reverse proxies like nginx X-Real-IP
• X-Forwarded-For header that's a comma separated list with each node's host IP in the request chain
• If none of the above work, fallback to Go's request RemoteAddr
r
Good to see that cloudflare is inventing its own thing
(note: sarcasm)
most frameworks have a trusted setting for x-forwarded-for, so you can't run a proxy in front of it and hijack the value. after all it's just a list of IPs 😄
h
We support it (see message from Ajay), so I don’t think there’s a problem here?
Storing an IP for security logging (IP Logging) is a legitimate reason, so it’s GDPR compliant. You still are not allowed to use it for analytics, but Ory Kratos doesn’t do analytics, it’s a security product
r
yeah, i just have to tell my users what i store 😉
the less i have to do that, the better
m
I guess another comment that might relate to that is for how long are these attributes stored?
h
That depends, we’ll implement it according to regulation in our cloud system for the relevant regulatory body. In open source, it’s free for all 😄
r
I guess it's gone when the session expires? 😄
(that would work for me)
f
Great news! looks good to us 🙂
h
This feature is now merged 🙂
r
@high-leather-33936 is this available in cloud ☁️ already?
h
@red-machine-69654 Not yet. I'll drop a message in this thread when it is. There will probably be an announcement too
Feature is available on Ory Network and is also in the latest Kratos release - https://github.com/ory/kratos/releases/tag/v0.11.0
Open in Slack
PreviousNext
Powered by