4

Our website currently restricts a cookie-based session to the IP address that was originally sent the Set-Cookie HTTP header. In the past a user's IP would rarely change, so this didn't present much inconvenience. However, some of our clients accessing via 3G devices are experiencing session failures due to this IP restriction.

I know little about the network infrastructure used for mobile networks. Do the majority of providers attempt to route connections to a common public IP in order to maintain compatibility with websites like ours, or should I consider restricting sessions to an IP range instead?

durron597
  • 7,590
  • 9
  • 37
  • 67
tjbp
  • 141
  • 3
  • are you saying that you require the client to always access from the same ip address to retain the session? – Mike Pennington Jul 29 '12 at 09:57
  • @Mike Pennington: Yep. –  Jul 29 '12 at 10:25
  • As a minor addendum: Depending on the nature of your service, it may be of value to provide your users with an *optional* feature which restricts their usage to a specific IP or IP range (and then handles violations by either blocking the user, logging a warning, or requiring a secondary form of authentication). I've encountered services which offer this feature. – Brian Apr 20 '15 at 20:20

4 Answers4

4

Do the majority of providers attempt to route connections to a common public IP in order to maintain compatibility with websites like ours, or should I consider restricting sessions to an IP range instead?

Short answer: IP addresses have no relationship to a user's identity. Furthermore, you cannot accurately predict what address, or block of addresses will be assigned to a user.

Longer answer: IP addresses change constantly in mobile environments, and they even change infrequently for wireline customers.

Since you are essentially using an IP address to map to the user's identity, the algorithm is indeed broken as you suspected. It does not matter whether you managed to make this work successfully in the past; that success was a reflection of a limited sample size, and not the result of good design.

Abstracting into provider-specific address ranges are an inadequate workaround for the problem. You will spend substatial time quantifying the address ranges used by providers; and certainly find frustration after a client steps on a plane, then later reautheticates hundreds of miles from previous attempts (usually resulting in a completely new address block from the mobile provider). Further complicating this issue will be the almost seamless use of IPv4 / IPv6 / tunneling between IPv4&IPv6 for some providers as they try to manage the limited IPv4 address space. In short, there is no guarantee that the same user will always receive the same IP address, or that the address they have is in a 100% predictable address block.

Mike Pennington
  • 404
  • 3
  • 11
  • The cookie contains a unique hash value - all data related to the session is stored on the server. We are not using an IP address in a cookie. –  Jul 29 '12 at 12:36
  • That's a minor detail that's irrelevant to the point... you cannot depend on IP addresses to map to a user's identity – Mike Pennington Jul 29 '12 at 12:37
  • We don't depend on IP addresses to map to a user's identity. The hash contained in the session cookie is the user's identity. We store additional information about this session in a database where the primary key is this hash - this is where the IP address that first opened the session is stored. –  Jul 29 '12 at 12:44
  • Answer edited. Is there more information you are missing? – Mike Pennington Jul 29 '12 at 12:47
  • Nope, not unless you'd like to add more information. Thanks for the info regarding IP address spaces - it certainly does sound like this algorithm is no longer appropriate. –  Jul 29 '12 at 13:14
1

I'm not sure is it a need to tight the IP address to the specific user, unless you need the verification during online payment transaction or other critical operation. If you are going to store it permanently, it make no sense as the IP was dynamic.

Furthermore, if you talking about mobile IP, they are high frequent changer - the IP keep changing when you move around. You may try it out at any geo tracking site, e.g. http://www.ip2location.com, check your IP while you move around.

Chris
  • 11
  • 1
0

I faced a similar problem recently with a system I had designed. For security, upon logging in the user was assigned a hash, which was stored in a cookie. This was then verified against the record in the database on each request, and compared with their IP address to ensure it was the same user.

This worked fine for years, but as the users began to access the system via mobiles (or a laptop using a 3G dongle) they began to encounter problems.

In order to preserve battery life, mobiles will connect, download the web page, then close the connection. When the user clicks on a link, the mobile will then reconnect, download the page and close the connection again. As a result each request will have a different IP address. The same will happen if using a laptop over a 3G dongle, in this case there is often a setting in the properties to stop this behaviour, but very few if any users will have changed this away from the default behaviour.

As such it is no longer feasible to rely on the IP address to verify a users identity. I have since re-written the application to move this restriction.

Gavin Coates
  • 1,054
  • 5
  • 11
-2

As Mike pointed out above.It is better not to restrict IP Address or a map an ip address to a user's identity

Both wired and wireless internet service providers give their customers a dynamic ip addresses or static ip addresses . All internet service providers do not provide static ip addresses to their customers. some providers provide static ip addresses and some do not provide static ip addresses.