On 2015-09-26 14:34, David Hubbard wrote:
Websites that require some type of authentication that is handled via session cookies have been booting our users out randomly with "your ip address has changed" type message. This occurs when their Mac decides to switch between protocols because the site views it as a session hijacking attempt when Joe User with session ID xyz switches from 192.0.2.10 to 2001:db8::1:1:a or vice versa.
This sounds like a really poor practice on the part of the website operators. Users on wireless devices may be switching networks throughout the same session (wifi/LTE), or there could be a cluster of proxies, or short DHCP leases, or tor circuit changes, or privacy extensions, etc. This is almost as bad as using GeoIP databases to authenticate.
-Laszlo
