When testing a CAPTCHA, is it recommended to test that the IP address used to request the CAPTCHA is the same as that used to answer the CAPTCHA??

Is it a concern for people that have dynamic IP addresses that potentially could change pageview-to-pageview?

I guess it's possible for the IP to change if someone has their browser open and their modem establishes a new lease and for some reason a new IP is issued. In a typical DHCP process, clients will try to renegotiate the same IP. Lets say a new IP is issued because they lost connectivity momentarily with the ISP and got a new IP...

Somewhere between client and server, something is going to get dropped and force the client to establish a new session with your we server due to having a new source IP in that connection. Your perimeter firewalls I would hope...

For the most part, I would assume that the new session would happen on the client side with the device handling the outbound NAT.

You could easily test this within a LAN. Take a workstation, open the page, start the captcha, assign it a new IP then see what happens when the clients submits. If the captcha info is stored within the website session, wouldn't the web server establish a new session because of the new source IP? Wouldn't your web application not accept the captcha value because it couldn't validate the input against the value you are storing for that user's original session Id?

As side note: Tor changes the IP every 10 minutes or so by default. But the users can force the change at each request. In this particular case there could be a problem with the matching IPs.

What is Tor?

Member Avatar


What is Tor?

It's this:


I have this on my computer too. I haven't used Tor to sign in on Daniweb before.