Menu
Can IP change during session?
What about different engines (PHP, Django, Ruby, etc) ?
PS: I don't quite understand what is 'dynamic ip' and how they are held by internet providers... And how sessions are broken...
Update: Should I track IP change for security? I'm currently working with PHP, so if the built in session system lacks security, please provide some code and algorithms
735
Every 14 days there is a DHCP lease renewal that takes place that acts kind of like a handshake between the ISP and a household modem. If the connection is still valid the ISP will move on and not disrupt service via provisioning a new IP address.
While a static IP address will remain connected to that device for as long as you maintain the service, a dynamic IP will change when it expires, which is usually every 24 hours, or a multiple of 24 hours.
They will change when the router disconnects and reconnects, re-registers to a network operator or, in some cases, the ISP might update the IP addresses periodically. Speaking in terms of remote access, dynamic IPs complicate the situation because there is no way to tell what IP address a remote has at any given time.
IPs can change at any time - the idea behind HTTP is that each request is independent.
There are only around 3 billion IPv4 addresses available worldwide. Some ISPs (most of them, actually) therefore assign IPs dynamically for each connecting client - so that when this client disconnects, the IP can be reused for someone else.
As far as 'sessions' are concerned - it all depends on how the state is held. The most sane approach is to use a cookie - which allows you to connect from arbitrary IP, on an arbitrary medium - at which point, you should not be concerned with IP layers of the HTTP.
But again, people are known for doing weird stuff, like using IPs for things they were never meant (in the OSI/IETF sense) for - like identification, authentication, etc.. This is doubly bad, because one IP can commonly mean many customers - for instance, your entire household likely shares the same public IP - what if you and your partner both visit the same site? How can the server tell the two of you apart?
@update
No, you shouldn't track IP changes for 'security' - the only exception is if you can deal with geoIP features, and want to disable/annoy users of various anonymisation services.
Basically, if your users connect directly (and not via proxy/TOR), it would be very likely that they will connect again from a nearby location. If your users connect once from the US, once from Russia - that can mean either that these are two different people (one of whom might've stolen the credentials), or that the user uses an anonymiser of sorts.
If the site is a high-value target (banking, finance, central credentials (think Google Account)) - you could geo-lookup the IPs and compare if the distance changed by more than 100km in under an hour more than twice - this is likely fishy, and you can bug the user for extra credentials.
Otherwise, you could display the last few IPs - but it's likely an icing on the cake with little real value.
@update2 Security is a tricky subject - whenever you're dealing with it, you need to answer two fundamental question:
Security of what: what is so valuable that needs protecting
And security against what: What is the attack scenario you are concerned about
164
Just thought I'd add a comment to this though it is an old thread. An IP for a visitor to your website can change for instance when the visitor decides to switch from mobile data to wifi. Maybe he wants to download something from your site and thinks it would be better to use wifi for it. The session can remain the same during the process.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
