ie if they change device, browser or IP address it is considered a different device. I need it so users can authenticate themselves on new devices as 2FA and build up a series of authenticated PCs. I am aware that the user will need to re-authenticate if their IP address or browser changes.
My concern is that if I don’t use WebSession.RemoteAddress then all the PCs in an office are now authorised for that user login (once one is authorised).
I want users to have to authorise (with a code sent to them) each new PC. If they’re sent a code and they didn’t try to authenticate, they’ll know someone is trying to connect into their account (and will be blocked).
Yes! That random Cookie value is also stored in the User database table. The user can later remove that value from the database (eg from a Cyber Cafe) requiring re-authorisation later. Moving from PC to PC, even with the same IP address, requires authentication because the random Cookie value will not match.
I will also keep the WebSession.Platform + WebSession.Browser + WebSession.RemoteAddress as a reminder of which PC each authorisation is referring to.