I have noticed something that has been irking me for a while. After I got native IPv6 addresses delivered from my ISP (woo!), the Remember me functionality of the admin page hasn’t been working reliably. This is the case both for the login itself and 2FA prompt.
What I suspect is happening is that the IP address is a part of the remembered session, and when the IP address changes, the session expires. Now this is fine for IPv4 where changes isn’t very common, but for IPv6, where the default configuration is to generate temporary addresses for outbound requests now and then, it causes a problem. I think in this case it would be better to match the session against the whole /64 block. I don’t think this should have any major impact as it should usually be the same boundary that would share a external NAT IP for IPv4.