[ic] IPs that change with every access

Gert van der Spoel gert at 3edge.com
Sat Jun 23 19:02:40 EDT 2007

> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org [mailto:interchange-
> users-bounces at icdevgroup.org] On Behalf Of Carl Bailey
> Sent: zondag 24 juni 2007 1:52
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] IPs that change with every access
> Kevin Walsh <kevin at cursor.biz> wrote:
> > Grant <emailgrant at gmail.com> wrote:
> >> I was looking at [env HTTP_COOKIE] at it looks like my MV_SESSION_ID
> >> cookie is composed of my session ID and my IP address.  I've been
> >> studying my logs a lot lately, and there are a fair amount of
> accesses
> >> made by IP addresses that change with every access, usually just the
> >> end portion of the IP address.  Most of these accesses are clearly
> >> robots, but some of them are clearly not.  Is IC able to keep track
> of
> >> a user's session properly when their IP changes with each access?
> >>
> > Ordinary users should not change their IP address with every request.
> > Spiders might do this, but they should be recognised by the Robot*
> > directives.
> >
> > Users who use a proxy cluster might present themselves from a
> different
> > IP address every now and again.  Similarly, Also, if a user's ISP has
> a
> > weird DHCP setup then it might give the user a new IP address, rather
> > than renew the existing lease, but you shouldn't see that very often
> > in a normal browsing session.
> Yet we see this all the time, primarily from users of AOL, who
> presumably all utilize a proxy cluster.  That makes it a far more
> common occurrence indeed, at least here in the states ;)
> That said, without changing the IC configuration, I have tested this
> situation by modifying the cookie in my browser, so that the IP address
> part no longer matches my actual IP address.  As long as the session ID
> part is constant Interchange does not seem to mind, and the session
> behaves normally, all the way through checkout.

Which does introduce the possibility of session-hijacking. 
Creating larger session ID's can make that more difficult.



More information about the interchange-users mailing list