Child pages
  • HandlingIpChangeIssue
Skip to end of metadata
Go to start of metadata

How To Handle User Ip Address Change When Calling VerifySession

This page is deprecated.

A directive from the campus IT Security Office has reversed ISIS's stance on terminating user sessions when the browser IP address shifts.

Pleaes see the new Developer's Guide to Handling IP Mismatch (604010) Errors for the latest instructions

History

  1. In ISIS 4, when a user's ip changed, we terminated the session and returned the 604010 error. Now in ISIS 5, we return the 904099 message as a security precaution and keep the session alive.
  2. This code is in the error block because we had no other logical place to return this information to you without breaking the ISIS 4 WSDL.

Background

The landscape of IP networking has changed dramatically in the past several years. The widespread of dynamic proxy and NAT network deployments has made enforcing security rules based on IP alone impractical.

For example, most users coming through the Medical Enterprise, the Registrar's Office, and the LawSchool, will appear to come from the 3 or 4 IP addresses each network has defined as their outward facing IP. In these situations, you can't tell whether those connections are in fact coming from the same machine, making IP checking moot.

On the other hand, in many ip change situations, user really did nothing wrong. There is not a strong reason to deny them service simply because their IP changed. We did so back in ISIS 4 because it was a very rare occurrence. However, as wireless networks, VPN, and dynamic proxies continue to become more the norm rather than the exception, it has become impractical for us to arbitrarily deny a user solely based on an IP change.

Handle it

We recommend that applications let user with changing IP in, but maintain a log of the fact that the user's IP has changed. If not, at the very least display something to: let the user know that you are terminating their session because their network address has changed; explain how that might happen; give them suggestions on how to work around the changing IP; and provide a way for them to re-log in.

In your code, after getting the iws response when calling VerifySession, if SessionStatus is active, make sure to check "hasError". If it's "true" and the error code is "904099", you need to take actions here: let or do not let user continue, and log the fact that user ip address has changed.