Checking for same IP address is a bad idea and doesn't work

In services_session_load, the Services module checks to make sure the request is coming from the same host as the user logged in on, like this:

  // Check if it really loaded user and, for additional security, if user was logged from the
same IP. If not, then revert automatically.
  if ($user->sid != $sessid || $user->hostname != $backup->hostname) {
    services_session_unload($backup);
    return NULL;
  }

Drupal in general does not enforce a same-host security policy, and it does not seem like the Services module should impose its own policies on that, certainly not without documenting it clearly and making it optional.

Especially for mobile clients, IP addresses change all the time, and it's very difficult to manage authentication when your authentication fails every time your IP address changes. In large corporate and ISP environments (like AOL), user requests are sent through a farm of proxies, and so the IP address of the request can change between two requests sent from the same computer at almost the same time.

Plus, I noticed that changing the IP address causes authentication to fail the first time, but it works the second time. I suspect somewhere Drupal is updating the host field even as it denies the request, but I haven't looked too closely.

In my installation, I have simply removed the host check, and everything is working fine.

Thanks!