Can IP change during session?

Question

Can IP change during session?

What about different engines (PHP, Django, Ruby, etc) ?

PS: I don\'t quite understand what is \'dynamic ip\' and how they are h

Answer 1

1) Yes, an IP address can change during a session.

3) No, I can't think of any security benefit of "tracking IP changes".

2) A "dynamic IP address" is simply the opposite of a "static IP address:

a) With dynamic IP's ("DHCP"), the network assigns the address to a host (typically, when you boot up).

b) With static IP's, you configure the host with a fixed, unchanging address.

c) Dynamic IPs are the norm. They're easier to administer, they relieve the end user of having to do any network configuration, and they mitigate the risks of conflicting network addresses.

Here is a good link that might make the distinction between "static" and "dynamic" addressing clearer:

http://compnetworking.about.com/od/workingwithipaddresses/qt/staticipaddress.htm

Answer 2

Just thought I'd add a comment to this though it is an old thread. An IP for a visitor to your website can change for instance when the visitor decides to switch from mobile data to wifi. Maybe he wants to download something from your site and thinks it would be better to use wifi for it. The session can remain the same during the process.

Answer 3

IPs can change at any time - the idea behind HTTP is that each request is independent.

There are only around 3 billion IPv4 addresses available worldwide. Some ISPs (most of them, actually) therefore assign IPs dynamically for each connecting client - so that when this client disconnects, the IP can be reused for someone else.

As far as 'sessions' are concerned - it all depends on how the state is held. The most sane approach is to use a cookie - which allows you to connect from arbitrary IP, on an arbitrary medium - at which point, you should not be concerned with IP layers of the HTTP.

But again, people are known for doing weird stuff, like using IPs for things they were never meant (in the OSI/IETF sense) for - like identification, authentication, etc.. This is doubly bad, because one IP can commonly mean many customers - for instance, your entire household likely shares the same public IP - what if you and your partner both visit the same site? How can the server tell the two of you apart?

@update

No, you shouldn't track IP changes for 'security' - the only exception is if you can deal with geoIP features, and want to disable/annoy users of various anonymisation services.

Basically, if your users connect directly (and not via proxy/TOR), it would be very likely that they will connect again from a nearby location. If your users connect once from the US, once from Russia - that can mean either that these are two different people (one of whom might've stolen the credentials), or that the user uses an anonymiser of sorts.

If the site is a high-value target (banking, finance, central credentials (think Google Account)) - you could geo-lookup the IPs and compare if the distance changed by more than 100km in under an hour more than twice - this is likely fishy, and you can bug the user for extra credentials.

Otherwise, you could display the last few IPs - but it's likely an icing on the cake with little real value.

@update2 Security is a tricky subject - whenever you're dealing with it, you need to answer two fundamental question:

Security of what: what is so valuable that needs protecting

• Privacy of users
• Permissions granted to a user
• Assets (physical or virtual)

And security against what: What is the attack scenario you are concerned about

• Cookie hijacking (firesheep) (just use SSL and be done with it for the most part - there is no way around the problem that HTTP is unencrypted and often over public radio)
• Taking over accounts (require additional credentials for really sensitive stuff)
• Defacing?