> > > > Off the top of my head: > > > > * You step away from the computer and need to check something via your > > phone. > > > > * You lock your screen at work without logging out from guac, head home, > > and need to log in again. > > > > * You are using an anonymizing service which changes IP occasionally. > > > > - Mike
> Sure, all of the three cases are valid, but regardless of their > justifiability they are perfect case for attacker to mask his activity. > This could be said of many different pieces of functionality, at many different levels across many different technologies. The perfectly secure computer is locked in a safe and completely powered off, but it isn't very useful. The perfectly usable computer is accessible to everyone with no restrictions, but lacks any notion of security. The rest of the spectrum is a trade between security and functionality. Perhaps in your use-case or environment restricting users to a single IP is a requirement or something that you strongly desire. That's great, you're welcome to implement it that way. For most of the rest of us, our ability to use the software from multiple IP addresses concurrently is an acceptable risk with beneficial functionality, and there are other risks that merit more time and attention - like multi-factor authentication. > Whether to enable them or not is a matter of choice and a matter of > required > defense grade. > > I agree, and if you'd like to implement a modification or an extension that restricts users to only log in from a single IP at a time, you are welcome to - the software is open source, and can fork/modify/contribute to it. It's how I got started contributing to the project :-). However, you should understand that, because many other people don't consider this a requirement it is unlikely that 1) it will be adopted as a default behavior of the software, or 2) that other developers will spend time implementing such a feature in the near-term. -Nick
