When testing a CAPTCHA, is it recommended to test that the IP address used to request the CAPTCHA is the same as that used to answer the CAPTCHA??

Is it a concern for people that have dynamic IP addresses that potentially could change pageview-to-pageview?

5 Years
Discussion Span
Last Post by LastMitch

I guess it's possible for the IP to change if someone has their browser open and their modem establishes a new lease and for some reason a new IP is issued. In a typical DHCP process, clients will try to renegotiate the same IP. Lets say a new IP is issued because they lost connectivity momentarily with the ISP and got a new IP...

Somewhere between client and server, something is going to get dropped and force the client to establish a new session with your we server due to having a new source IP in that connection. Your perimeter firewalls I would hope...

For the most part, I would assume that the new session would happen on the client side with the device handling the outbound NAT.

You could easily test this within a LAN. Take a workstation, open the page, start the captcha, assign it a new IP then see what happens when the clients submits. If the captcha info is stored within the website session, wouldn't the web server establish a new session because of the new source IP? Wouldn't your web application not accept the captcha value because it couldn't validate the input against the value you are storing for that user's original session Id?

Edited by JorgeM


As side note: Tor changes the IP every 10 minutes or so by default. But the users can force the change at each request. In this particular case there could be a problem with the matching IPs.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.