Hello @zulip/server-notifications members, this issue was labeled with the area: notifications label, so you may want to check it out!

I think location and long-lived cookie may be common practice here based on past experience with using my laptop when travelling (it seems to very by product), though I'm sure the others could be helpful as well.

@lfaraone do you have advice as to what the best practice is here?

@gnprice can you ask around and get some advice on this? My belief is we probably just want a long-lived signed cookie containing a list of dicts with e.g. User ID, IP, and any other data we eventually choose to add to this security feature (it can just be a JSON dict that grows over time). We do a list so we can handle the user having multiple accounts they use regularly. Then we can write a function with unit tests that handles this, but I think V1 would be if it's the user has logged in before with that browser (aka has a cookie for that user ID), we skip the email, otherwise, we reject.

Over time we can expand the function to include location/etc, but I don't want to block on integrating a geo-ip library.

@timabbott
We can use uuid to generate unique device id whenever a user logins from a new browser/device. We will store that unique id in the browser's cookie and also in our user database as 'authorised devices'. The list of device ids will be maintained to add features (in future) like user authentication through email verification when a new browser login is detected.

Like any good security citizens, we send notification emails to tell a user that there's been a new login to their account.

FWIW, I could hardly disagree more with that statement. The only thing this will lead to is a kind of security fatigue making users ignore such emails. Every time a user gets a security warning that is a false positive, this leads to them caring slightly less about security warnings. Not showing any warning when everything is fine is almost as important as showing a warning when something goes wrong.

These login notifications are not improving security. They are increasing the user's resistance against meaningful security-related error messages.

I know of no other service that follows this practice, except for one vendor's VPS (virtual private server) control panel. That is a place that you rarely log in to and that has extremely high security impact, so it makes some sense. Doing this for a chat platform is... totally exaggerated.

even if the user logs in from the same browser on the same machine at the same IP as they've done before, we send them an email about it.

If you are intending to recognize "same browser" by setting cookies, please note that, like any security-minded internet citizen, I have cookies set to clear on browser exit. If that means this will be a "new browser" each time, as far as Zulip is concerned, your changes won't help people that are willing to take some steps to protect their privacy.

@zulipbot claim

My original description apparently wasn't clear about this, so I'll try to be as clear as I can: I'm 100% in agreement that we send way too many of these notifications. That's what this issue is about.

I know of no other service that follows this practice, except

Services I've gotten this kind of notification from in the past few months include (at least):

• Google
• Dropbox

Of course they're much better at not sending them all the time; that's, again, what this issue is about.

I have cookies set to clear on browser exit. If that means this will be a "new browser" each time,

There are a range of signals we could use; the general idea is just to identify "low-risk" vs "high-risk" logins, and send mail only for the latter. This is a useful point of data for choosing the combination of signals; thanks!

(Posting the LINK to the conversation of the current approach to solve this.)

There are two things to do here. One is that we need a user-level setting to disable these emails; this is useful for situations where the user is explicitly logging out a lot and wants that behavior (e.g. we heard from one user who clears cookies every time he closes his browser). The second is working on the signal stuff to provide fewer emails for users who aren't doing something like that.

Apparently that setting issue #5795. @shubhamdhama @pragatiagrawal31 I'd really love to see that worked on; I think it should be pretty quick and should relieve the main pain point here for users like @RalfJung.

Just a quick update here: We've now merged #5795 (aka added a user setting for turning this feature off). @RalfJung this should be available on zulipchat.com in about a day if you'd like to try it out; I think for your usage model of removing cookies, you probably just want this feature disabled.

I'm leaving this issue open, since there's probably going to be some additional signals that we'll want to add to the default behavior before closing this out.

That's awesome, thanks :) I'll be on the look.

makes sense, so I'm abandoning this issue for now @zulipbot abandon

This issue has been open for a long time. (Chat thread here that brought it to mind again.)

I think it's likely that there are one or two fairly doable, concrete steps we can take that would improve the situation quite a lot. We don't need to learn all the clever things that Google or Dropbox etc. might do before we can make things substantially better.

Currently, if you log out and then immediately log back in again from the same browser, do we send one of these emails? That would be good to prevent, and would I think get us most of the way there.

The most straightforward thing to do would be to leave behind a long-lived cookie even when you log out. If that cookie is still present when you log in, then we'd say no email is necessary. I suspect this is one thing that services with good full-time security teams (like Google or Dropbox or Twitter or GitHub) typically do; one can try to check by logging into and out of one of those and then looking at what cookies your browser has for them.

+1 on this. At least one member asked about it.