Can IP change during session?

后端 未结 3 1498
闹比i
闹比i 2021-01-02 00:25

Can IP change during session?

What about different engines (PHP, Django, Ruby, etc) ?

PS: I don\'t quite understand what is \'dynamic ip\' and how they are h

3条回答
  •  有刺的猬
    2021-01-02 00:55

    IPs can change at any time - the idea behind HTTP is that each request is independent.

    There are only around 3 billion IPv4 addresses available worldwide. Some ISPs (most of them, actually) therefore assign IPs dynamically for each connecting client - so that when this client disconnects, the IP can be reused for someone else.

    As far as 'sessions' are concerned - it all depends on how the state is held. The most sane approach is to use a cookie - which allows you to connect from arbitrary IP, on an arbitrary medium - at which point, you should not be concerned with IP layers of the HTTP.

    But again, people are known for doing weird stuff, like using IPs for things they were never meant (in the OSI/IETF sense) for - like identification, authentication, etc.. This is doubly bad, because one IP can commonly mean many customers - for instance, your entire household likely shares the same public IP - what if you and your partner both visit the same site? How can the server tell the two of you apart?

    @update

    No, you shouldn't track IP changes for 'security' - the only exception is if you can deal with geoIP features, and want to disable/annoy users of various anonymisation services.

    Basically, if your users connect directly (and not via proxy/TOR), it would be very likely that they will connect again from a nearby location. If your users connect once from the US, once from Russia - that can mean either that these are two different people (one of whom might've stolen the credentials), or that the user uses an anonymiser of sorts.

    If the site is a high-value target (banking, finance, central credentials (think Google Account)) - you could geo-lookup the IPs and compare if the distance changed by more than 100km in under an hour more than twice - this is likely fishy, and you can bug the user for extra credentials.

    Otherwise, you could display the last few IPs - but it's likely an icing on the cake with little real value.

    @update2 Security is a tricky subject - whenever you're dealing with it, you need to answer two fundamental question:

    Security of what: what is so valuable that needs protecting

    • Privacy of users
    • Permissions granted to a user
    • Assets (physical or virtual)

    And security against what: What is the attack scenario you are concerned about

    • Cookie hijacking (firesheep) (just use SSL and be done with it for the most part - there is no way around the problem that HTTP is unencrypted and often over public radio)
    • Taking over accounts (require additional credentials for really sensitive stuff)
    • Defacing?

提交回复
热议问题