We recently attempted to add ip address validation to our website’s login security. So in addition to having a cookie with valid credentials, we checked that your ip address on page request matched the one you initially signed in with. The idea was that if your cookie is stolen, a different user cannot impersonate you unless they actually are on the same IP address.

For the majority of users there was no issue, but it seems some ISPs (namely AOL and BT) use some sort of proxy farm that actually gives the user a different IP address on every single outgoing connection, which of course made login impossible for those users. The addresses in some cases were completely different between requests also, so even checking the upper octet or similar doesn’t appear feasible.

We had to rip it out. My question is if there is any way of detecting these types of ISP configuration to exclude them from the IP check, or any general advice on how to enhance security without including IP address. It appears to me that online banking sites do the above, but perhaps they just have short time to live on the cookies.