Why should I allow multiple IP addresses on a website for a single session?Allow traffic from single IP address, block all other addressesScanning website for vulnerablitiesWhat statistics app should I use for my website?Why should I firewall servers?SSL Certificates: Multiple Single Domain vs Wildcard?What permissions should my website files/folders have on a Linux webserver?Why should I start to replace Windows Server 2003?Why should you disable network login for local accounts?Allow ssh access on single Ethernet portSharing single page application for multiple customers
Write a function
Publishing papers seem natural to many, while I find it really hard to think novel stuff to pursue till publication. How to cope up with this?
What is the relationship between external and internal composition in a cartesian closed category?
Four ships at the ocean with the same distance
Gaining Proficiency in Vehicles (water)
Is "wissen" the only verb in German to have an irregular present tense?
run bash scripts in folder all at the same time
Decrease spacing between a bullet point and its subbullet point
How to evaluate the performance of open source solver?
What kind of Chinook helicopter/airplane hybrid is this?
Why did Old English lose both thorn and eth?
Category-theoretic treatment of diffs, patches and merging?
Why do people prefer metropolitan areas, considering monsters and villains?
Can the word "desk" be used as a verb?
How to understand flavors and when to use combination of them?
Is it ok for parents to kiss and romance with each other while their 2- to 8-year-old child watches?
How should I ask for a "pint" in countries that use metric?
Chilling water in copper vessel
How do I separate enchants from items?
Clarinets in the Rite of Spring
Compute Manhattan distance from origin given a set of left-right-step directions
What term do you use for someone who acts impulsively?
How do resistors generate different heat if we make the current fixed and changed the voltage and resistance? Notice the flow of charge is constant
What is the meaning of "prairie-dog" in this sentence?
Why should I allow multiple IP addresses on a website for a single session?
Allow traffic from single IP address, block all other addressesScanning website for vulnerablitiesWhat statistics app should I use for my website?Why should I firewall servers?SSL Certificates: Multiple Single Domain vs Wildcard?What permissions should my website files/folders have on a Linux webserver?Why should I start to replace Windows Server 2003?Why should you disable network login for local accounts?Allow ssh access on single Ethernet portSharing single page application for multiple customers
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I hope my question matches the scope of this site.
I'm developing a CMS. Currently my logged in users are locked to their IP address for the session. Unfortunately a small portion of my userbase constantly jump between two or more IP addresses. Most of them probably use load balancers. Technically it is not necessary to lock the users sessions to one IP address. I did not expect clients to switch between multiple IP addresses for a single page request on my website.
I wonder now, what are the risks in allowing my clients to constantly jump between IP addresses for a page request (for example, CSS files are requested by xxx.xxx.xxx.xxx and JavaScript files are requested by yyy.yyy.yyy.yyy)? Should I generally allow or prohibit that?
security
edited Jun 29 at 10:01
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
asked Jun 28 at 7:43
yoruyoru
811 silver badge4 bronze badges
|
show 1 more comment
I hope my question matches the scope of this site.
I'm developing a CMS. Currently my logged in users are locked to their IP address for the session. Unfortunately a small portion of my userbase constantly jump between two or more IP addresses. Most of them probably use load balancers. Technically it is not necessary to lock the users sessions to one IP address. I did not expect clients to switch between multiple IP addresses for a single page request on my website.
I wonder now, what are the risks in allowing my clients to constantly jump between IP addresses for a page request (for example, CSS files are requested by xxx.xxx.xxx.xxx and JavaScript files are requested by yyy.yyy.yyy.yyy)? Should I generally allow or prohibit that?
security
edited Jun 29 at 10:01
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
asked Jun 28 at 7:43
yoruyoru
811 silver badge4 bronze badges
39
You don't even need load balancers to jump around IPs. Connect on your phone on the subway, you might get a different IP every few minutes as the train travels, and then again when your phone switches to WiFi at a destination.
– whatsisname
Jun 28 at 16:08
13
Also for laptops moving between locations (say, home > work > starbucks). Also: IPv6 random addresses (IPv6 SLAAC privacy extensions).
– marcelm
Jun 28 at 18:43
intuitively, I would expect the client jumping around on different source Ips to cause problems if it was anything more than "occasionally".
– Tom H
Jun 28 at 23:29
1
If you are developing a webapp that will be installed in a network that you control or you have knowledge of you may decide to do this for security since you might be able to say "in this situation multiple IPs are not going to happen since users must access this from their WS and there are no load balancers or other stuff in between that may change their IP"... in that case you might even be able to track the users IPs since their WS may always have the same one (or it might change only once every couple of months)
– Bakuriu
Jun 29 at 11:16
1
@TomH No, the vast majority of webapps don't care about your IP address, they will accept the same cookies in an HTTP request over a new TCP connection. Only demented and badly designed crap locks your session to an IP or a connection.
– Navin
Jul 1 at 5:47
|
show 1 more comment
I hope my question matches the scope of this site.
I'm developing a CMS. Currently my logged in users are locked to their IP address for the session. Unfortunately a small portion of my userbase constantly jump between two or more IP addresses. Most of them probably use load balancers. Technically it is not necessary to lock the users sessions to one IP address. I did not expect clients to switch between multiple IP addresses for a single page request on my website.
I wonder now, what are the risks in allowing my clients to constantly jump between IP addresses for a page request (for example, CSS files are requested by xxx.xxx.xxx.xxx and JavaScript files are requested by yyy.yyy.yyy.yyy)? Should I generally allow or prohibit that?
security
edited Jun 29 at 10:01
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
asked Jun 28 at 7:43
yoruyoru
811 silver badge4 bronze badges
I hope my question matches the scope of this site.
I'm developing a CMS. Currently my logged in users are locked to their IP address for the session. Unfortunately a small portion of my userbase constantly jump between two or more IP addresses. Most of them probably use load balancers. Technically it is not necessary to lock the users sessions to one IP address. I did not expect clients to switch between multiple IP addresses for a single page request on my website.
I wonder now, what are the risks in allowing my clients to constantly jump between IP addresses for a page request (for example, CSS files are requested by xxx.xxx.xxx.xxx and JavaScript files are requested by yyy.yyy.yyy.yyy)? Should I generally allow or prohibit that?
security
security
edited Jun 29 at 10:01
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
asked Jun 28 at 7:43
yoruyoru
811 silver badge4 bronze badges
edited Jun 29 at 10:01
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
asked Jun 28 at 7:43
yoruyoru
811 silver badge4 bronze badges
edited Jun 29 at 10:01
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
edited Jun 29 at 10:01
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
edited Jun 29 at 10:01
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
2,1664 gold badges22 silver badges24 bronze badges
asked Jun 28 at 7:43
yoruyoru
811 silver badge4 bronze badges
asked Jun 28 at 7:43
yoruyoru
811 silver badge4 bronze badges
asked Jun 28 at 7:43
yoruyoru
811 silver badge4 bronze badges
811 silver badge4 bronze badges
39
You don't even need load balancers to jump around IPs. Connect on your phone on the subway, you might get a different IP every few minutes as the train travels, and then again when your phone switches to WiFi at a destination.
– whatsisname
Jun 28 at 16:08
13
Also for laptops moving between locations (say, home > work > starbucks). Also: IPv6 random addresses (IPv6 SLAAC privacy extensions).
– marcelm
Jun 28 at 18:43
intuitively, I would expect the client jumping around on different source Ips to cause problems if it was anything more than "occasionally".
– Tom H
Jun 28 at 23:29
1
If you are developing a webapp that will be installed in a network that you control or you have knowledge of you may decide to do this for security since you might be able to say "in this situation multiple IPs are not going to happen since users must access this from their WS and there are no load balancers or other stuff in between that may change their IP"... in that case you might even be able to track the users IPs since their WS may always have the same one (or it might change only once every couple of months)
– Bakuriu
Jun 29 at 11:16
1
@TomH No, the vast majority of webapps don't care about your IP address, they will accept the same cookies in an HTTP request over a new TCP connection. Only demented and badly designed crap locks your session to an IP or a connection.
– Navin
Jul 1 at 5:47
|
show 1 more comment
39
You don't even need load balancers to jump around IPs. Connect on your phone on the subway, you might get a different IP every few minutes as the train travels, and then again when your phone switches to WiFi at a destination.
– whatsisname
Jun 28 at 16:08
13
Also for laptops moving between locations (say, home > work > starbucks). Also: IPv6 random addresses (IPv6 SLAAC privacy extensions).
– marcelm
Jun 28 at 18:43
intuitively, I would expect the client jumping around on different source Ips to cause problems if it was anything more than "occasionally".
– Tom H
Jun 28 at 23:29
1
If you are developing a webapp that will be installed in a network that you control or you have knowledge of you may decide to do this for security since you might be able to say "in this situation multiple IPs are not going to happen since users must access this from their WS and there are no load balancers or other stuff in between that may change their IP"... in that case you might even be able to track the users IPs since their WS may always have the same one (or it might change only once every couple of months)
– Bakuriu
Jun 29 at 11:16
1
@TomH No, the vast majority of webapps don't care about your IP address, they will accept the same cookies in an HTTP request over a new TCP connection. Only demented and badly designed crap locks your session to an IP or a connection.
– Navin
Jul 1 at 5:47
39
39
You don't even need load balancers to jump around IPs. Connect on your phone on the subway, you might get a different IP every few minutes as the train travels, and then again when your phone switches to WiFi at a destination.
– whatsisname
Jun 28 at 16:08
You don't even need load balancers to jump around IPs. Connect on your phone on the subway, you might get a different IP every few minutes as the train travels, and then again when your phone switches to WiFi at a destination.
– whatsisname
Jun 28 at 16:08
13
13
Also for laptops moving between locations (say, home > work > starbucks). Also: IPv6 random addresses (IPv6 SLAAC privacy extensions).
– marcelm
Jun 28 at 18:43
Also for laptops moving between locations (say, home > work > starbucks). Also: IPv6 random addresses (IPv6 SLAAC privacy extensions).
– marcelm
Jun 28 at 18:43
intuitively, I would expect the client jumping around on different source Ips to cause problems if it was anything more than "occasionally".
– Tom H
Jun 28 at 23:29
intuitively, I would expect the client jumping around on different source Ips to cause problems if it was anything more than "occasionally".
– Tom H
Jun 28 at 23:29
1
1
If you are developing a webapp that will be installed in a network that you control or you have knowledge of you may decide to do this for security since you might be able to say "in this situation multiple IPs are not going to happen since users must access this from their WS and there are no load balancers or other stuff in between that may change their IP"... in that case you might even be able to track the users IPs since their WS may always have the same one (or it might change only once every couple of months)
– Bakuriu
Jun 29 at 11:16
If you are developing a webapp that will be installed in a network that you control or you have knowledge of you may decide to do this for security since you might be able to say "in this situation multiple IPs are not going to happen since users must access this from their WS and there are no load balancers or other stuff in between that may change their IP"... in that case you might even be able to track the users IPs since their WS may always have the same one (or it might change only once every couple of months)
– Bakuriu
Jun 29 at 11:16
1
1
@TomH No, the vast majority of webapps don't care about your IP address, they will accept the same cookies in an HTTP request over a new TCP connection. Only demented and badly designed crap locks your session to an IP or a connection.
– Navin
Jul 1 at 5:47
@TomH No, the vast majority of webapps don't care about your IP address, they will accept the same cookies in an HTTP request over a new TCP connection. Only demented and badly designed crap locks your session to an IP or a connection.
– Navin
Jul 1 at 5:47
|
show 1 more comment
4 Answers
4
active
oldest
votes
a small portion of my userbase constantly jump between two or more IP addresses.
Causes
Assuming that your users aren't actively trying to hide their real IP addresses by using an anonymising service...:
Most corporate examples I have seen are caused by larger companies and some ISP's using a cluster of proxy servers, each with a different external IP-address, with user requests getting load balanced over that cluster.
You may see Dual Stack users making requests over both IPv4 and IPv6 and switching between the two protocols RFC 8305 for subsequent requests.
The other scenario is when I'm at the extreme range of a Wi-Fi access point and my device "randomly" switches between Wi-Fi and cellular data.
Solutions
In the first scenario you might compromise on keeping such IP address "security" in your sessions by only considering the first three octets, as typically such a cluster of proxy servers are all within a small subnet and will have neighboring IP addresses.
In the second and third scenario you will see completely different client IP addresses, from unrelated providers even.
Don't tie you sessions to a specific IP address, that is more likely to break user experience than to provide actual improved security.
edited Jun 29 at 10:04
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 28 at 8:44
HBruijnHBruijn
60k12 gold badges94 silver badges161 bronze badges
27
Nobody ties sessions to IP addresses anymore, for exactly these reasons.
– Michael Hampton♦
Jun 28 at 9:05
32
NEVER ever tie sessions to IP-addresses, the 80s are over! My ISP supplys a complete /64 network to my phone in which my browser jumps around like crazy.
– bjoster
Jun 28 at 9:19
6
In addition to all, Multipath TCP is getting increasingly common.
– Can Poyrazoğlu
Jun 29 at 8:08
2
If you are making your CMS for technical users, you can put a "limit this session to your ip (xxx.yyy.zzz.iii) only" checkbox on the login page
– Ferrybig
Jun 29 at 8:54
5
@bjoster that's because the IPv6 privacy extensions, it keep switching address so websites cannot track you by your ip alone (this is not an issue with IPv4, as multiple people are behind the same address)
– Ferrybig
Jun 29 at 8:57
|
show 6 more comments
I wonder now, what are the risks in allowing my clients to constantly jump between IP addresses for a page request (for example, CSS files are requested by xxx.xxx.xxx.xxx and JavaScript files are requested by yyy.yyy.yyy.yyy)? Should I generally allow or prohibit that?
The primary risk is a malicious user hijacking the session. If you could lock down to one or a small set of IP addresses, you could block users from entirely different IP addresses from hijacking the session.
The problem is that some users do this legitimately. Whether they are using a load balanced proxy or are at the margins of two wireless access points (or whatever), they use multiple IP addresses. So you pretty much have to allow it for those users. And it's hard to tell which users require multiple IP addresses except when they request from multiple IP addresses.
One way to reduce the impact of this is to use HTTPS. Then the malicious actor has to have a way to compromise the secure layer as well as the session cookie. Over an insecure connection, the malicious actor could just use network inspection to compromise a session cookie. But over HTTPS, the same malicious actor needs to have access to one of the ends of the conversation. And if the malicious actor has that, then it's not necessary to use a different IP.
TL;DR: you should generally allow requests from different IP addresses for the same user. There are legitimate reasons this can happen. Use HTTPS instead to protect from that class of exploits.
answered Jun 30 at 12:27
mdfst13mdfst13
2661 bronze badge
add a comment |
what are the risks in allowing my clients to constantly jump between IP addresses for a page request
From a security standpoint - zero risks.
Now, from a practical standpoint. It means you cannot use certain types of algorithms for either security or DoS protection.
A simple way to throttle user requests is to track by IP address. Since this doesn't need to interact with your application server you can use services at lower levels to do this. Software like Apache's mod_evasive do this. You can still use these techniques, but user changing IP addresses will reduce their effectiveness. Then again, users will switch IP addresses anyway so these techniques have never really been effective.
A related, but different, use-case is throttling failed login attempts. This is to prevent brute-force password guessing. But again, there is nothing you can do anyway if users change IP addresses. A really serious hacker would not even use his own machines. He'd just buy some time on a botnet (or use his own previously infected botnet) and connect to your service via 10,000 other people's PCs (IP addresses). This is not really related to limiting user's IP address because it is pre-login, but it's something to keep in mind.
edited Jun 29 at 10:08
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 29 at 5:18
slebetmanslebetman
1635 bronze badges
add a comment |
There a several reasons why a user may jump to a new IP address.
- IPv6 privacy extensions, many IPv6 clients nowadays will jump around within the /64 on the lan.
- Load balanced proxies, the clients request gets routed to one of several proxies each with a seperate IP.
- NAT pools, the border nat is configured with multiple IP addresses and assigns IP/port combinations from the pool arbitarilly to client TCP connections.
- The user moves between different networks or parts of a network, common with phones nowadays.
- Dual stack users may hop between IPv4 and IPv6.
I wonder now, what are the risks in allowing my clients to constantly jump between IPs for a page request
The advantage of locking client sessoins to IPs is it makes session stealing attacks harder. If an attacker has a mechanism that lets them steal the clients cookies but does not let them make connections to your server from the clients IP address then the IP lock will block them from stealing the session.
The downside is as you say it will cause breakage for some users who find their session invalidated for no obvious reason.
Most sites nowadays seem to think the breakage outweighs the benefits of such locking.
answered Jul 1 at 17:52
Peter GreenPeter Green
3,0416 silver badges25 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f973205%2fwhy-should-i-allow-multiple-ip-addresses-on-a-website-for-a-single-session%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
a small portion of my userbase constantly jump between two or more IP addresses.
Causes
Assuming that your users aren't actively trying to hide their real IP addresses by using an anonymising service...:
Most corporate examples I have seen are caused by larger companies and some ISP's using a cluster of proxy servers, each with a different external IP-address, with user requests getting load balanced over that cluster.
You may see Dual Stack users making requests over both IPv4 and IPv6 and switching between the two protocols RFC 8305 for subsequent requests.
The other scenario is when I'm at the extreme range of a Wi-Fi access point and my device "randomly" switches between Wi-Fi and cellular data.
Solutions
In the first scenario you might compromise on keeping such IP address "security" in your sessions by only considering the first three octets, as typically such a cluster of proxy servers are all within a small subnet and will have neighboring IP addresses.
In the second and third scenario you will see completely different client IP addresses, from unrelated providers even.
Don't tie you sessions to a specific IP address, that is more likely to break user experience than to provide actual improved security.
edited Jun 29 at 10:04
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 28 at 8:44
HBruijnHBruijn
60k12 gold badges94 silver badges161 bronze badges
27
Nobody ties sessions to IP addresses anymore, for exactly these reasons.
– Michael Hampton♦
Jun 28 at 9:05
32
NEVER ever tie sessions to IP-addresses, the 80s are over! My ISP supplys a complete /64 network to my phone in which my browser jumps around like crazy.
– bjoster
Jun 28 at 9:19
6
In addition to all, Multipath TCP is getting increasingly common.
– Can Poyrazoğlu
Jun 29 at 8:08
2
If you are making your CMS for technical users, you can put a "limit this session to your ip (xxx.yyy.zzz.iii) only" checkbox on the login page
– Ferrybig
Jun 29 at 8:54
5
@bjoster that's because the IPv6 privacy extensions, it keep switching address so websites cannot track you by your ip alone (this is not an issue with IPv4, as multiple people are behind the same address)
– Ferrybig
Jun 29 at 8:57
|
show 6 more comments
a small portion of my userbase constantly jump between two or more IP addresses.
Causes
Assuming that your users aren't actively trying to hide their real IP addresses by using an anonymising service...:
Most corporate examples I have seen are caused by larger companies and some ISP's using a cluster of proxy servers, each with a different external IP-address, with user requests getting load balanced over that cluster.
You may see Dual Stack users making requests over both IPv4 and IPv6 and switching between the two protocols RFC 8305 for subsequent requests.
The other scenario is when I'm at the extreme range of a Wi-Fi access point and my device "randomly" switches between Wi-Fi and cellular data.
Solutions
In the first scenario you might compromise on keeping such IP address "security" in your sessions by only considering the first three octets, as typically such a cluster of proxy servers are all within a small subnet and will have neighboring IP addresses.
In the second and third scenario you will see completely different client IP addresses, from unrelated providers even.
Don't tie you sessions to a specific IP address, that is more likely to break user experience than to provide actual improved security.
edited Jun 29 at 10:04
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 28 at 8:44
HBruijnHBruijn
60k12 gold badges94 silver badges161 bronze badges
27
Nobody ties sessions to IP addresses anymore, for exactly these reasons.
– Michael Hampton♦
Jun 28 at 9:05
32
NEVER ever tie sessions to IP-addresses, the 80s are over! My ISP supplys a complete /64 network to my phone in which my browser jumps around like crazy.
– bjoster
Jun 28 at 9:19
6
In addition to all, Multipath TCP is getting increasingly common.
– Can Poyrazoğlu
Jun 29 at 8:08
2
If you are making your CMS for technical users, you can put a "limit this session to your ip (xxx.yyy.zzz.iii) only" checkbox on the login page
– Ferrybig
Jun 29 at 8:54
5
@bjoster that's because the IPv6 privacy extensions, it keep switching address so websites cannot track you by your ip alone (this is not an issue with IPv4, as multiple people are behind the same address)
– Ferrybig
Jun 29 at 8:57
|
show 6 more comments
a small portion of my userbase constantly jump between two or more IP addresses.
Causes
Assuming that your users aren't actively trying to hide their real IP addresses by using an anonymising service...:
Most corporate examples I have seen are caused by larger companies and some ISP's using a cluster of proxy servers, each with a different external IP-address, with user requests getting load balanced over that cluster.
You may see Dual Stack users making requests over both IPv4 and IPv6 and switching between the two protocols RFC 8305 for subsequent requests.
The other scenario is when I'm at the extreme range of a Wi-Fi access point and my device "randomly" switches between Wi-Fi and cellular data.
Solutions
In the first scenario you might compromise on keeping such IP address "security" in your sessions by only considering the first three octets, as typically such a cluster of proxy servers are all within a small subnet and will have neighboring IP addresses.
In the second and third scenario you will see completely different client IP addresses, from unrelated providers even.
Don't tie you sessions to a specific IP address, that is more likely to break user experience than to provide actual improved security.
edited Jun 29 at 10:04
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 28 at 8:44
HBruijnHBruijn
60k12 gold badges94 silver badges161 bronze badges
a small portion of my userbase constantly jump between two or more IP addresses.
Causes
Assuming that your users aren't actively trying to hide their real IP addresses by using an anonymising service...:
Most corporate examples I have seen are caused by larger companies and some ISP's using a cluster of proxy servers, each with a different external IP-address, with user requests getting load balanced over that cluster.
You may see Dual Stack users making requests over both IPv4 and IPv6 and switching between the two protocols RFC 8305 for subsequent requests.
The other scenario is when I'm at the extreme range of a Wi-Fi access point and my device "randomly" switches between Wi-Fi and cellular data.
Solutions
In the first scenario you might compromise on keeping such IP address "security" in your sessions by only considering the first three octets, as typically such a cluster of proxy servers are all within a small subnet and will have neighboring IP addresses.
In the second and third scenario you will see completely different client IP addresses, from unrelated providers even.
Don't tie you sessions to a specific IP address, that is more likely to break user experience than to provide actual improved security.
edited Jun 29 at 10:04
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 28 at 8:44
HBruijnHBruijn
60k12 gold badges94 silver badges161 bronze badges
edited Jun 29 at 10:04
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
edited Jun 29 at 10:04
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
edited Jun 29 at 10:04
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 28 at 8:44
HBruijnHBruijn
60k12 gold badges94 silver badges161 bronze badges
answered Jun 28 at 8:44
HBruijnHBruijn
60k12 gold badges94 silver badges161 bronze badges
answered Jun 28 at 8:44
HBruijnHBruijn
60k12 gold badges94 silver badges161 bronze badges
60k12 gold badges94 silver badges161 bronze badges
27
Nobody ties sessions to IP addresses anymore, for exactly these reasons.
– Michael Hampton♦
Jun 28 at 9:05
32
NEVER ever tie sessions to IP-addresses, the 80s are over! My ISP supplys a complete /64 network to my phone in which my browser jumps around like crazy.
– bjoster
Jun 28 at 9:19
6
In addition to all, Multipath TCP is getting increasingly common.
– Can Poyrazoğlu
Jun 29 at 8:08
2
If you are making your CMS for technical users, you can put a "limit this session to your ip (xxx.yyy.zzz.iii) only" checkbox on the login page
– Ferrybig
Jun 29 at 8:54
5
@bjoster that's because the IPv6 privacy extensions, it keep switching address so websites cannot track you by your ip alone (this is not an issue with IPv4, as multiple people are behind the same address)
– Ferrybig
Jun 29 at 8:57
|
show 6 more comments
27
Nobody ties sessions to IP addresses anymore, for exactly these reasons.
– Michael Hampton♦
Jun 28 at 9:05
32
NEVER ever tie sessions to IP-addresses, the 80s are over! My ISP supplys a complete /64 network to my phone in which my browser jumps around like crazy.
– bjoster
Jun 28 at 9:19
6
In addition to all, Multipath TCP is getting increasingly common.
– Can Poyrazoğlu
Jun 29 at 8:08
2
If you are making your CMS for technical users, you can put a "limit this session to your ip (xxx.yyy.zzz.iii) only" checkbox on the login page
– Ferrybig
Jun 29 at 8:54
5
@bjoster that's because the IPv6 privacy extensions, it keep switching address so websites cannot track you by your ip alone (this is not an issue with IPv4, as multiple people are behind the same address)
– Ferrybig
Jun 29 at 8:57
27
27
Nobody ties sessions to IP addresses anymore, for exactly these reasons.
– Michael Hampton♦
Jun 28 at 9:05
Nobody ties sessions to IP addresses anymore, for exactly these reasons.
– Michael Hampton♦
Jun 28 at 9:05
32
32
NEVER ever tie sessions to IP-addresses, the 80s are over! My ISP supplys a complete /64 network to my phone in which my browser jumps around like crazy.
– bjoster
Jun 28 at 9:19
NEVER ever tie sessions to IP-addresses, the 80s are over! My ISP supplys a complete /64 network to my phone in which my browser jumps around like crazy.
– bjoster
Jun 28 at 9:19
6
6
In addition to all, Multipath TCP is getting increasingly common.
– Can Poyrazoğlu
Jun 29 at 8:08
In addition to all, Multipath TCP is getting increasingly common.
– Can Poyrazoğlu
Jun 29 at 8:08
2
2
If you are making your CMS for technical users, you can put a "limit this session to your ip (xxx.yyy.zzz.iii) only" checkbox on the login page
– Ferrybig
Jun 29 at 8:54
If you are making your CMS for technical users, you can put a "limit this session to your ip (xxx.yyy.zzz.iii) only" checkbox on the login page
– Ferrybig
Jun 29 at 8:54
5
5
@bjoster that's because the IPv6 privacy extensions, it keep switching address so websites cannot track you by your ip alone (this is not an issue with IPv4, as multiple people are behind the same address)
– Ferrybig
Jun 29 at 8:57
@bjoster that's because the IPv6 privacy extensions, it keep switching address so websites cannot track you by your ip alone (this is not an issue with IPv4, as multiple people are behind the same address)
– Ferrybig
Jun 29 at 8:57
|
show 6 more comments
I wonder now, what are the risks in allowing my clients to constantly jump between IP addresses for a page request (for example, CSS files are requested by xxx.xxx.xxx.xxx and JavaScript files are requested by yyy.yyy.yyy.yyy)? Should I generally allow or prohibit that?
The primary risk is a malicious user hijacking the session. If you could lock down to one or a small set of IP addresses, you could block users from entirely different IP addresses from hijacking the session.
The problem is that some users do this legitimately. Whether they are using a load balanced proxy or are at the margins of two wireless access points (or whatever), they use multiple IP addresses. So you pretty much have to allow it for those users. And it's hard to tell which users require multiple IP addresses except when they request from multiple IP addresses.
One way to reduce the impact of this is to use HTTPS. Then the malicious actor has to have a way to compromise the secure layer as well as the session cookie. Over an insecure connection, the malicious actor could just use network inspection to compromise a session cookie. But over HTTPS, the same malicious actor needs to have access to one of the ends of the conversation. And if the malicious actor has that, then it's not necessary to use a different IP.
TL;DR: you should generally allow requests from different IP addresses for the same user. There are legitimate reasons this can happen. Use HTTPS instead to protect from that class of exploits.
answered Jun 30 at 12:27
mdfst13mdfst13
2661 bronze badge
add a comment |
I wonder now, what are the risks in allowing my clients to constantly jump between IP addresses for a page request (for example, CSS files are requested by xxx.xxx.xxx.xxx and JavaScript files are requested by yyy.yyy.yyy.yyy)? Should I generally allow or prohibit that?
The primary risk is a malicious user hijacking the session. If you could lock down to one or a small set of IP addresses, you could block users from entirely different IP addresses from hijacking the session.
The problem is that some users do this legitimately. Whether they are using a load balanced proxy or are at the margins of two wireless access points (or whatever), they use multiple IP addresses. So you pretty much have to allow it for those users. And it's hard to tell which users require multiple IP addresses except when they request from multiple IP addresses.
One way to reduce the impact of this is to use HTTPS. Then the malicious actor has to have a way to compromise the secure layer as well as the session cookie. Over an insecure connection, the malicious actor could just use network inspection to compromise a session cookie. But over HTTPS, the same malicious actor needs to have access to one of the ends of the conversation. And if the malicious actor has that, then it's not necessary to use a different IP.
TL;DR: you should generally allow requests from different IP addresses for the same user. There are legitimate reasons this can happen. Use HTTPS instead to protect from that class of exploits.
answered Jun 30 at 12:27
mdfst13mdfst13
2661 bronze badge
add a comment |
I wonder now, what are the risks in allowing my clients to constantly jump between IP addresses for a page request (for example, CSS files are requested by xxx.xxx.xxx.xxx and JavaScript files are requested by yyy.yyy.yyy.yyy)? Should I generally allow or prohibit that?
The primary risk is a malicious user hijacking the session. If you could lock down to one or a small set of IP addresses, you could block users from entirely different IP addresses from hijacking the session.
The problem is that some users do this legitimately. Whether they are using a load balanced proxy or are at the margins of two wireless access points (or whatever), they use multiple IP addresses. So you pretty much have to allow it for those users. And it's hard to tell which users require multiple IP addresses except when they request from multiple IP addresses.
One way to reduce the impact of this is to use HTTPS. Then the malicious actor has to have a way to compromise the secure layer as well as the session cookie. Over an insecure connection, the malicious actor could just use network inspection to compromise a session cookie. But over HTTPS, the same malicious actor needs to have access to one of the ends of the conversation. And if the malicious actor has that, then it's not necessary to use a different IP.
TL;DR: you should generally allow requests from different IP addresses for the same user. There are legitimate reasons this can happen. Use HTTPS instead to protect from that class of exploits.
answered Jun 30 at 12:27
mdfst13mdfst13
2661 bronze badge
I wonder now, what are the risks in allowing my clients to constantly jump between IP addresses for a page request (for example, CSS files are requested by xxx.xxx.xxx.xxx and JavaScript files are requested by yyy.yyy.yyy.yyy)? Should I generally allow or prohibit that?
The primary risk is a malicious user hijacking the session. If you could lock down to one or a small set of IP addresses, you could block users from entirely different IP addresses from hijacking the session.
The problem is that some users do this legitimately. Whether they are using a load balanced proxy or are at the margins of two wireless access points (or whatever), they use multiple IP addresses. So you pretty much have to allow it for those users. And it's hard to tell which users require multiple IP addresses except when they request from multiple IP addresses.
One way to reduce the impact of this is to use HTTPS. Then the malicious actor has to have a way to compromise the secure layer as well as the session cookie. Over an insecure connection, the malicious actor could just use network inspection to compromise a session cookie. But over HTTPS, the same malicious actor needs to have access to one of the ends of the conversation. And if the malicious actor has that, then it's not necessary to use a different IP.
TL;DR: you should generally allow requests from different IP addresses for the same user. There are legitimate reasons this can happen. Use HTTPS instead to protect from that class of exploits.
answered Jun 30 at 12:27
mdfst13mdfst13
2661 bronze badge
answered Jun 30 at 12:27
mdfst13mdfst13
2661 bronze badge
answered Jun 30 at 12:27
mdfst13mdfst13
2661 bronze badge
answered Jun 30 at 12:27
mdfst13mdfst13
2661 bronze badge
2661 bronze badge
add a comment |
add a comment |
what are the risks in allowing my clients to constantly jump between IP addresses for a page request
From a security standpoint - zero risks.
Now, from a practical standpoint. It means you cannot use certain types of algorithms for either security or DoS protection.
A simple way to throttle user requests is to track by IP address. Since this doesn't need to interact with your application server you can use services at lower levels to do this. Software like Apache's mod_evasive do this. You can still use these techniques, but user changing IP addresses will reduce their effectiveness. Then again, users will switch IP addresses anyway so these techniques have never really been effective.
A related, but different, use-case is throttling failed login attempts. This is to prevent brute-force password guessing. But again, there is nothing you can do anyway if users change IP addresses. A really serious hacker would not even use his own machines. He'd just buy some time on a botnet (or use his own previously infected botnet) and connect to your service via 10,000 other people's PCs (IP addresses). This is not really related to limiting user's IP address because it is pre-login, but it's something to keep in mind.
edited Jun 29 at 10:08
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 29 at 5:18
slebetmanslebetman
1635 bronze badges
add a comment |
what are the risks in allowing my clients to constantly jump between IP addresses for a page request
From a security standpoint - zero risks.
Now, from a practical standpoint. It means you cannot use certain types of algorithms for either security or DoS protection.
A simple way to throttle user requests is to track by IP address. Since this doesn't need to interact with your application server you can use services at lower levels to do this. Software like Apache's mod_evasive do this. You can still use these techniques, but user changing IP addresses will reduce their effectiveness. Then again, users will switch IP addresses anyway so these techniques have never really been effective.
A related, but different, use-case is throttling failed login attempts. This is to prevent brute-force password guessing. But again, there is nothing you can do anyway if users change IP addresses. A really serious hacker would not even use his own machines. He'd just buy some time on a botnet (or use his own previously infected botnet) and connect to your service via 10,000 other people's PCs (IP addresses). This is not really related to limiting user's IP address because it is pre-login, but it's something to keep in mind.
edited Jun 29 at 10:08
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 29 at 5:18
slebetmanslebetman
1635 bronze badges
add a comment |
what are the risks in allowing my clients to constantly jump between IP addresses for a page request
From a security standpoint - zero risks.
Now, from a practical standpoint. It means you cannot use certain types of algorithms for either security or DoS protection.
A simple way to throttle user requests is to track by IP address. Since this doesn't need to interact with your application server you can use services at lower levels to do this. Software like Apache's mod_evasive do this. You can still use these techniques, but user changing IP addresses will reduce their effectiveness. Then again, users will switch IP addresses anyway so these techniques have never really been effective.
A related, but different, use-case is throttling failed login attempts. This is to prevent brute-force password guessing. But again, there is nothing you can do anyway if users change IP addresses. A really serious hacker would not even use his own machines. He'd just buy some time on a botnet (or use his own previously infected botnet) and connect to your service via 10,000 other people's PCs (IP addresses). This is not really related to limiting user's IP address because it is pre-login, but it's something to keep in mind.
edited Jun 29 at 10:08
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 29 at 5:18
slebetmanslebetman
1635 bronze badges
what are the risks in allowing my clients to constantly jump between IP addresses for a page request
From a security standpoint - zero risks.
Now, from a practical standpoint. It means you cannot use certain types of algorithms for either security or DoS protection.
A simple way to throttle user requests is to track by IP address. Since this doesn't need to interact with your application server you can use services at lower levels to do this. Software like Apache's mod_evasive do this. You can still use these techniques, but user changing IP addresses will reduce their effectiveness. Then again, users will switch IP addresses anyway so these techniques have never really been effective.
A related, but different, use-case is throttling failed login attempts. This is to prevent brute-force password guessing. But again, there is nothing you can do anyway if users change IP addresses. A really serious hacker would not even use his own machines. He'd just buy some time on a botnet (or use his own previously infected botnet) and connect to your service via 10,000 other people's PCs (IP addresses). This is not really related to limiting user's IP address because it is pre-login, but it's something to keep in mind.
edited Jun 29 at 10:08
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 29 at 5:18
slebetmanslebetman
1635 bronze badges
edited Jun 29 at 10:08
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
edited Jun 29 at 10:08
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
edited Jun 29 at 10:08
Peter Mortensen
2,1664 gold badges22 silver badges24 bronze badges
2,1664 gold badges22 silver badges24 bronze badges
answered Jun 29 at 5:18
slebetmanslebetman
1635 bronze badges
answered Jun 29 at 5:18
slebetmanslebetman
1635 bronze badges
answered Jun 29 at 5:18
slebetmanslebetman
1635 bronze badges
1635 bronze badges
add a comment |
add a comment |
There a several reasons why a user may jump to a new IP address.
- IPv6 privacy extensions, many IPv6 clients nowadays will jump around within the /64 on the lan.
- Load balanced proxies, the clients request gets routed to one of several proxies each with a seperate IP.
- NAT pools, the border nat is configured with multiple IP addresses and assigns IP/port combinations from the pool arbitarilly to client TCP connections.
- The user moves between different networks or parts of a network, common with phones nowadays.
- Dual stack users may hop between IPv4 and IPv6.
I wonder now, what are the risks in allowing my clients to constantly jump between IPs for a page request
The advantage of locking client sessoins to IPs is it makes session stealing attacks harder. If an attacker has a mechanism that lets them steal the clients cookies but does not let them make connections to your server from the clients IP address then the IP lock will block them from stealing the session.
The downside is as you say it will cause breakage for some users who find their session invalidated for no obvious reason.
Most sites nowadays seem to think the breakage outweighs the benefits of such locking.
answered Jul 1 at 17:52
Peter GreenPeter Green
3,0416 silver badges25 bronze badges
add a comment |
There a several reasons why a user may jump to a new IP address.
- IPv6 privacy extensions, many IPv6 clients nowadays will jump around within the /64 on the lan.
- Load balanced proxies, the clients request gets routed to one of several proxies each with a seperate IP.
- NAT pools, the border nat is configured with multiple IP addresses and assigns IP/port combinations from the pool arbitarilly to client TCP connections.
- The user moves between different networks or parts of a network, common with phones nowadays.
- Dual stack users may hop between IPv4 and IPv6.
I wonder now, what are the risks in allowing my clients to constantly jump between IPs for a page request
The advantage of locking client sessoins to IPs is it makes session stealing attacks harder. If an attacker has a mechanism that lets them steal the clients cookies but does not let them make connections to your server from the clients IP address then the IP lock will block them from stealing the session.
The downside is as you say it will cause breakage for some users who find their session invalidated for no obvious reason.
Most sites nowadays seem to think the breakage outweighs the benefits of such locking.
answered Jul 1 at 17:52
Peter GreenPeter Green
3,0416 silver badges25 bronze badges
add a comment |
There a several reasons why a user may jump to a new IP address.
- IPv6 privacy extensions, many IPv6 clients nowadays will jump around within the /64 on the lan.
- Load balanced proxies, the clients request gets routed to one of several proxies each with a seperate IP.
- NAT pools, the border nat is configured with multiple IP addresses and assigns IP/port combinations from the pool arbitarilly to client TCP connections.
- The user moves between different networks or parts of a network, common with phones nowadays.
- Dual stack users may hop between IPv4 and IPv6.
I wonder now, what are the risks in allowing my clients to constantly jump between IPs for a page request
The advantage of locking client sessoins to IPs is it makes session stealing attacks harder. If an attacker has a mechanism that lets them steal the clients cookies but does not let them make connections to your server from the clients IP address then the IP lock will block them from stealing the session.
The downside is as you say it will cause breakage for some users who find their session invalidated for no obvious reason.
Most sites nowadays seem to think the breakage outweighs the benefits of such locking.
answered Jul 1 at 17:52
Peter GreenPeter Green
3,0416 silver badges25 bronze badges
There a several reasons why a user may jump to a new IP address.
- IPv6 privacy extensions, many IPv6 clients nowadays will jump around within the /64 on the lan.
- Load balanced proxies, the clients request gets routed to one of several proxies each with a seperate IP.
- NAT pools, the border nat is configured with multiple IP addresses and assigns IP/port combinations from the pool arbitarilly to client TCP connections.
- The user moves between different networks or parts of a network, common with phones nowadays.
- Dual stack users may hop between IPv4 and IPv6.
I wonder now, what are the risks in allowing my clients to constantly jump between IPs for a page request
The advantage of locking client sessoins to IPs is it makes session stealing attacks harder. If an attacker has a mechanism that lets them steal the clients cookies but does not let them make connections to your server from the clients IP address then the IP lock will block them from stealing the session.
The downside is as you say it will cause breakage for some users who find their session invalidated for no obvious reason.
Most sites nowadays seem to think the breakage outweighs the benefits of such locking.
answered Jul 1 at 17:52
Peter GreenPeter Green
3,0416 silver badges25 bronze badges
answered Jul 1 at 17:52
Peter GreenPeter Green
3,0416 silver badges25 bronze badges
answered Jul 1 at 17:52
Peter GreenPeter Green
3,0416 silver badges25 bronze badges
answered Jul 1 at 17:52
Peter GreenPeter Green
3,0416 silver badges25 bronze badges
3,0416 silver badges25 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f973205%2fwhy-should-i-allow-multiple-ip-addresses-on-a-website-for-a-single-session%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
39
You don't even need load balancers to jump around IPs. Connect on your phone on the subway, you might get a different IP every few minutes as the train travels, and then again when your phone switches to WiFi at a destination.
– whatsisname
Jun 28 at 16:08
13
Also for laptops moving between locations (say, home > work > starbucks). Also: IPv6 random addresses (IPv6 SLAAC privacy extensions).
– marcelm
Jun 28 at 18:43
intuitively, I would expect the client jumping around on different source Ips to cause problems if it was anything more than "occasionally".
– Tom H
Jun 28 at 23:29
1
If you are developing a webapp that will be installed in a network that you control or you have knowledge of you may decide to do this for security since you might be able to say "in this situation multiple IPs are not going to happen since users must access this from their WS and there are no load balancers or other stuff in between that may change their IP"... in that case you might even be able to track the users IPs since their WS may always have the same one (or it might change only once every couple of months)
– Bakuriu
Jun 29 at 11:16
1
@TomH No, the vast majority of webapps don't care about your IP address, they will accept the same cookies in an HTTP request over a new TCP connection. Only demented and badly designed crap locks your session to an IP or a connection.
– Navin
Jul 1 at 5:47