An unauthorized system can monitor packets, steal a cookie, and use that cookie to gain access to another system. To prevent a breach of security by an unauthorized system, you can enable or disable IP checking with persistent and transient cookies.
The IP checking feature requires agent to compare the IP address stored in a cookie from the last request against the IP address contained in the current request. If the IP addresses do not match, the agent rejects the request.
Frequently this setting is configured incorrectly. The following is the most common misconfiguration:
Release : ANY
'persistentipcheck' should not be interpreted as 'constant'. There is no such thing as a 'Sporadic IP Check', or a 'Random IP Check. Both TransientIPCheck and PersistentIPCheck apply to all requests. It is a matter of whether we're dealing with PersistentCookies (Stored on the clients disk) or TransientCookies (stored in a memory in a client's Browser Session).
Option #1: Using Transient Cookies
This is the most common configuration. Transient Cookies are the default setting. Here cookies are stored in memory in the browser session.
Option #2: Using Persistent Cookies
This is configuration is fairly uncommon. This allows a session cookie to traverse browser sessions, however the cookie is stored on disk on the client host.
Both configurations will ensure that all subsequent requests originate from the same IP as the original get which generated the SMSESSION cookie to begin with.