Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Can IP change during session?
What about different engines (PHP, Django, Ruby, etc) ?
PS: I don’t quite understand what is ‘dynamic ip’ and how they are held by internet providers… And how sessions are broken…
Update:
Should I track IP change for security? I’m currently working with PHP, so if the built in session system lacks security, please provide some code and algorithms
IPs can change at any time – the idea behind HTTP is that each request is independent.
There are only around 3 billion IPv4 addresses available worldwide. Some ISPs (most of them, actually) therefore assign IPs dynamically for each connecting client – so that when this client disconnects, the IP can be reused for someone else.
As far as ‘sessions’ are concerned – it all depends on how the state is held. The most sane approach is to use a cookie – which allows you to connect from arbitrary IP, on an arbitrary medium – at which point, you should not be concerned with IP layers of the HTTP.
But again, people are known for doing weird stuff, like using IPs for things they were never meant (in the OSI/IETF sense) for – like identification, authentication, etc.. This is doubly bad, because one IP can commonly mean many customers – for instance, your entire household likely shares the same public IP – what if you and your partner both visit the same site? How can the server tell the two of you apart?
@update
No, you shouldn’t track IP changes for ‘security’ – the only exception is if you can deal with geoIP features, and want to disable/annoy users of various anonymisation services.
Basically, if your users connect directly (and not via proxy/TOR), it would be very likely that they will connect again from a nearby location. If your users connect once from the US, once from Russia – that can mean either that these are two different people (one of whom might’ve stolen the credentials), or that the user uses an anonymiser of sorts.
If the site is a high-value target (banking, finance, central credentials (think Google Account)) – you could geo-lookup the IPs and compare if the distance changed by more than 100km in under an hour more than twice – this is likely fishy, and you can bug the user for extra credentials.
Otherwise, you could display the last few IPs – but it’s likely an icing on the cake with little real value.
@update2
Security is a tricky subject – whenever you’re dealing with it, you need to answer two fundamental question:
Security of what:
what is so valuable that needs protecting
And security against what:
What is the attack scenario you are concerned about