会话期间IP可以更改吗?

IP可以随时更改-HTTP背后的思想是每个请求都是独立的.

IPs can change at any time - the idea behind HTTP is that each request is independent.

全世界只有大约30亿个IPv4地址可用.因此，某些ISP(实际上是大多数ISP)会为每个连接的客户端动态分配IP-以便当该客户端断开连接时，该IP可以被其他人重用.

There are only around 3 billion IPv4 addresses available worldwide. Some ISPs (most of them, actually) therefore assign IPs dynamically for each connecting client - so that when this client disconnects, the IP can be reused for someone else.

就会话"而言，这完全取决于状态的保持方式.最理智的方法是使用cookie-它允许您在任意介质上从任意IP连接-在这一点上，您不必担心HTTP的IP层.

As far as 'sessions' are concerned - it all depends on how the state is held. The most sane approach is to use a cookie - which allows you to connect from arbitrary IP, on an arbitrary medium - at which point, you should not be concerned with IP layers of the HTTP.

但同样，人们以做怪异的事情而闻名，例如使用IP进行他们从未打算(在OSI/IETF意义上)进行的事情(例如身份识别，身份验证等).这是双重不利的，因为一个IP可以通常意味着许多客户-例如，您的整个家庭可能共享相同的公共IP-如果您和您的伴侣都访问同一站点该怎么办?服务器如何区分你们两个?

But again, people are known for doing weird stuff, like using IPs for things they were never meant (in the OSI/IETF sense) for - like identification, authentication, etc.. This is doubly bad, because one IP can commonly mean many customers - for instance, your entire household likely shares the same public IP - what if you and your partner both visit the same site? How can the server tell the two of you apart?

@update

不，您不应该为了安全性"而跟踪IP更改-唯一的例外是您是否可以处理geoIP功能，并希望禁用/取消使用各种匿名服务的用户.

No, you shouldn't track IP changes for 'security' - the only exception is if you can deal with geoIP features, and want to disable/annoy users of various anonymisation services.

基本上，如果您的用户直接连接(而不是通过代理/TOR)，则很有可能会从附近位置重新连接.如果您的用户从美国连接一次，从俄罗斯连接一次-这可能意味着这是两个不同的人(其中一个人可能窃取了凭据)，或者用户使用了某种匿名器.

Basically, if your users connect directly (and not via proxy/TOR), it would be very likely that they will connect again from a nearby location. If your users connect once from the US, once from Russia - that can mean either that these are two different people (one of whom might've stolen the credentials), or that the user uses an anonymiser of sorts.

如果该站点是高价值目标(银行，金融，中央凭据(例如Google帐户))-您可以对IP进行地理查询，并比较在不到一小时内距离变化超过100公里的情况是否超过两倍-这可能是可疑的，您可以给用户打扰以获取额外的凭据.

If the site is a high-value target (banking, finance, central credentials (think Google Account)) - you could geo-lookup the IPs and compare if the distance changed by more than 100km in under an hour more than twice - this is likely fishy, and you can bug the user for extra credentials.

否则，您可以显示最后几个IP-但这可能锦上添花，而实际价值很少.

Otherwise, you could display the last few IPs - but it's likely an icing on the cake with little real value.

@ update2 安全是一个棘手的问题-每当您处理安全问题时，都需要回答两个基本问题:

@update2 Security is a tricky subject - whenever you're dealing with it, you need to answer two fundamental question:

内容的安全性: 有什么珍贵的东西需要保护

Security of what: what is so valuable that needs protecting

• 用户隐私
• 授予用户的权限
• 资产(物理或虚拟)

以及针对 的安全性: 您担心的攻击情形是什么

And security against what: What is the attack scenario you are concerned about

• Cookie劫持(firesheep)(只需使用SSL并在很大程度上完成它-无法解决HTTP未加密且经常通过公共广播的问题)
• 接管帐户(对于真正敏感的内容，需要其他凭据)
• 污损?