Reply to: HTTP sessions over multiple IPs?

I think he just wanted confirmation that web servers like Apache are not fussed about the client IP changing.

The answer is, they couldn't care less.
It's down to the web app that is being accessed to use cookies, sessions or whatever else. The actual web server just accepts the http connection and reads any cookies or url parameters passed and forwards the data to the web app.

* puts tech hat on *

Gotta be careful here, if your app is behind a reverse proxy or some kind of load balancer, all of the users may appear to come from one IP address.
Also, remember that many users may be behind their own corporate forward proxy and that will also constrain the number of clients IPs you can identify.
Implanting a session cookie from the app may be the way to go.

* removes tech hat *

I get the impression you're talking about the clients IP changing rather than server? Yes AOL used to do this as they ran a huge proxy farm that didn't stick clients. You'd be right not to assume the client IP is constant as there are a few reasons it may change even with non-persistent sesions.

The cookie values may also change mid-session, there are security reasons to do this. No idea how common it is though, been ages since I did much web coding.

I am not sure that the session will keep with one remote IP, in fact I am pretty sure that it can change over the session ( but not 100% ) and need to know to make the DB relationship one to one or one to many.

Forgive my ignorance but why would you want to do that? Assuming you are using a web application on a server farm with multiple IP addresses, I would give for granted that the servers are clustered and therefore you either have cookies (managed by the web client, ie the browser) or session id's, managed by the server farm.

I don't see the point of checking for IP changes. Correct me if I am wrong, once the browser has engaged in a http session, it should keep state with one IP address only, unless you want to change that behaviour. If the server farm is load-balanced, then the load balancer will do that job for you. IP layer and application layer are not the same.

Is your client Google or Amazon?

Doing a stat/usage/analytics layer thing on a web application. I am basically trying to work out the domain model, it could be

request->session->Ip

or

session<-request->ip

I that makes sense, I want to know if I should keep checking the session for IP changes and if they do change that requires my DB and object model to reflect.

I believe that AOL used to change the IPs constantly but I am not sure.

What do you want to achieve? Load balancing? Round robin?

Better to put it on a VIP...