[mac-chaffee]

Is tying session tokens to IPs actually common? I can't imagine it is given the unreliability of IP addresses causing issues.

I used to live somewhere where outbound traffic went through one of three CGNAT IPs at random, and I only had auth issues with one really old site that predates the NAT hell that is the modern internet.

[mtlynch]

Yeah, good point. I guess it'd be a pain to have to keep reauth'ing if your IP changed for legitimate reasons.

It would be possible to do some kind of check for "this session token was used in the US and Russia twenty minutes apart... something's fishy," but that adds in more complexity.

[numbsafari]

session vs refresh… you kill the session token and require a refresh. Can be sometimes be transparent, but may cause a re-authentication using the second factor with an indicator to the user that their previous session was killed due to use by a different IP.

If you are concerned about stable IPs, use a proper VPN or bastion setup.