IP binding with Cookies cant be enough ?

[threatdecoder]

Hello Team,

I may be wrong, but I wanted to understand why IP address binding to cookie cant be enough to solve this problem?

Server maintains a cookie with the IP address of the session with which it is associated.

Whenever Server receives cookie from different IP address, it will raise for re-login.

Yes, network change will trigger this but we can accept it given the elimination of Stealer Malware.

[Sora2455]

Major services like social media, where session theft would be devastating, would find constant re-authentication untenable - especially on mobile, where network changes are frequent and common.

[arnar]

IPs do change frequently, e.g. when moving between mobile and wifi connections, and as Sora2455 points out, frequent reauth can be high enough friction to make that untenable for many applications.

IPs can also be spoofable, or overtaken by attackers, and the mitigation mechanisms for that would be very far removed from either the client or the server.