In our code base we have quite a few security issues (eg XSS, session id being broadcasted). Attackers could get our users' session cookies. While we are actively trying to close the holes we can find, we are wondering whether it is a good idea that we check the IP throughout the session, maybe every 5 requests or so. If the IP has changed, we require the user to re-login before continuing on what s/he is doing. The idea is that if the attacker gets a user session cookie, s/he will be using that coming from a different IP from the victim user. There are also usability concerns. We need to support users behind DHCP, as well as AOL users (many users coming from the same IP), maybe users behind Tor too.
Any comments about the general approach that we check IP throughout the session?