[CL] Problem in verification/security logic?

Wouldn't it make more sense to check against both the email address AND the IP address of the submitter to determine that the previous verification can be safely reused?

1. The CL mode is not designed to provide optimal security. It is an anti-spam measure that improves upon the standard method provided by Drupal for allowing the "Anonymous" user to create content. The improvement is that a valid and verified address must be supplied in order to post as "Anonymous". On my sites, at least, this has proved to be more effective than CAPTCHA as an anti-spam measure.
2. The posts created using CL mode are by default not publicly associated with any user ID. If someone spoofs an email-address to create content, the content will have the byline: "Anonymous".
3. Anyone can post as "Anonymous" if they are able to supply a valid email address. Why should anyone spoof an email-address to create content as "Anonymous" when they can do exactly the same thing using an email-address (provided they validate it once) they legitimately own?
4. Craigslist, which is the "inspiration" for the CL mode, has worked like this for many years. AFAIK, it does not suffer any "spoofing"-problems originating from this. (Craigslist have a problem with spoofed phishing emails pretending to come from Craigslist that originate completely outside Craigslist, but this has nothing to do with using a verified email address to permit content creation on Craigslist.)
5. I use Anonymous Publishing's CL mode on several high traffic web-sites and have never experienced this type of spoofing.
6. These days, the majority own multiple IP-enabled devices (PCs, pads, smartphones) and interact with the Internet from various locations (home, work, WiFi), which means that their Internet address will change from one visit to the next. These users would need to re-verify their email address every time they switched device or location. IMHO, this would be a major inconvenience for these users.
7. If you feel the CL mode does not provide adequate safeguards against email-address spoofing, but still want to provide an option for users to create content as "Anonymous", you should instead use the PET mode. This mode requires the user to register and provide a valid password, which should rule out spoofing. This is both safer and less inconvenient than having to re-verify your email address by opening up your email-box and click on a verification link every time you wanted to create content after changing IP-address.

To sum up: In practice, this is not a problem, so there is nothing to "fix". On the other hand, trying to "fix" this by adding a check for repeated IP-address would create a major inconvenience for users that own multiple devices, and for users that use the Internet from multiple locations.

Unless you or someone else can come up with a convincing argument why this needs "fixing", this will not be implemented.

However, to let you and others respond, I'll keep this issue active for two weeks before making a final decision on this.

Closing, based on #2.

Reopening, as the "persistent byline" recently added adds use cases where this may be a problem.

The following setting should be added to the CL submodule:

• Add flag to request re-verification for a new post if the IP-address does not match the address used before.

The setting for verification persistency determines whether users need to re-verify after they've verified (or have been verified) once. This administrator some control over verification persistence.

The possible settings are:

1. Make verification persistent.
   If this option is set, a verified email address will be trusted, relieving the user from the task of re-verifiying on return visists to the site.
2. Verification persists as long as the same IP is used (this is the setting requested by the OP).
   If this option is set, a verified email address will be trusted if the IP-address used to post matches the previous IP-address used used along with the same email address.
3. Require verification for each posting.
   If you set this option, users will have to re-verify their e-mail address again every time they post. This is the most secure setting, but also bit more of a burden on the user.

I believe this setting resolves this feature request. Please review.

If you think it is done, move to RTBC. If you still it needs more work, please point out what is missing or wrong.

This is in release 7.x-1.1.