CAS6 MFA trusted device question, why client IP in addition to cookie value

[Yan Zhou]

hello,

CAS 6.6 MFA trusted device implementation, the doc says Device Fingerprint's default is: 

• Randomly generated cookie plus the client IP (default)

But in cas.properties have this as default:

cas.authn.mfa.trusted.device-fingerprint.client-ip.enabled=false

1, what is the default device fingerprint component:  Cookie only or Cookie and client-IP?

2, why would we need client IP in addition to cookie?  is not cookie unique to the browser instance that navigating to CAS?    

when we add Client IP, the same browser on the same device is not always recognized as a registered device (as device may get a different IP, but the device itself is the same one), and that may add customer confusion (why did not CAS remember Me?)

in our production, we have this, it seems to work for us well.

cas.authn.mfa.simple.trustedDeviceEnabled=true
cas.authn.mfa.trusted.device-fingerprint.client-ip.enabled=false
cas.authn.mfa.trusted.device-fingerprint.cookie.enabled=true
cas.authn.mfa.trusted.device-fingerprint.user-agent.enabled=false

I did not want to unknowingly introduce weakness in device fignerprint.  did i miss anything?

Yan