Implement highly persistent cookie ban system for enhanced security #3
Description
Feature Request:
Enhance the existing ban system to include support for banning highly persistent cookies. When the admin uses the "Also ban visitor_id cookie" checkbox, the system should ban all highly persistent cookies associated with the user, not just the standard visitor_id cookie. This will increase the effectiveness of the ban and reduce the likelihood of circumvention.
Requirements:
- Identify and track all persistent cookies that might be used for bypassing bans (e.g., via browser storage, multiple cookie names, localStorage, etc.).
- When an admin selects "Also ban visitor_id cookie," ensure that all related persistent cookies are banned and cannot be easily regenerated by the user.
- Update all relevant backend logic (ban creation, ban enforcement, ban checks) to account for these persistent cookies.
- Update the admin panel to reflect the new logic and display all persistent cookies associated with a user/IP.
- Document the changes and provide usage notes for admins.
Rationale:
Currently, users may circumvent bans by regenerating or manipulating cookies. Making the ban system more robust against persistent cookie tricks will improve the security and reliability of the system.
Acceptance Criteria:
- Banning a visitor_id cookie also bans all highly persistent cookies for that user.
- Attempts to bypass the ban via cookie tricks are reliably blocked.
- Admin panel and code are updated to support and reflect the new logic.
- Documentation updated.
Related files to review/modify: admin.php, admin_fixed.php, ip_ban.php, any cookie management logic.
Labels: enhancement, cookie, security.