I’m sure that I remember reading it - but I can’t find the links anymore - about it: on some Internet providers (including at least one large Internet provider in the USA), you can get a GET and POST request from different IP addresses .
(note that this is completely programming related, and I will give an example below)
I'm not saying that your IP address is dynamically changing between two requests.
I say this:
IP 1: 123.45.67.89 IP 2: 101.22.33.44
The same user does GET, then POST, then GET again, then POST again and the servers see this:
- GET from IP 1 - POST from IP 2 - GET from IP 1 - POST from IP 2
Thus, even if it is the same user, the web server sees different IP addresses for GET and POST.
Undoubtedly, HTTP is a stateless protocol, is this completely correct?
I would like to find an explanation on how / why some ISPs have networks configured so that this can happen.
I ask because someone asked me to implement the following IP filter, and I am sure that this is a fundamentally broken code (chaos violation for at least one large American ISP user).
It uses the Java servlet filter, which should protect against some attacks. The reason is that:
"For any session filter, verify that the IP address in the request is the same as that used to create the session. Therefore, in this case, the session ID cannot be stolen to form fake sessions."
http://www.servletsuite.com/servlets/protectsessionsflt.htm
However, I am sure that this is inherently violated, because there are Internet providers where you can see that GET and POST come from different IP addresses.