Site Speed and the Check IP address Setting


I am having serious site speed issues and am trying to find settings in my ACP that will speed things up. I use memcached and in that area I see this setting:

  • Check IP address when validating session? (If your site is likely to be used by many users in an intranet situation (such as an office or university), you may need to disable this setting to prevent users being logged out. However, when disabled, there is a greater risk of session hijacking. In most environments, this setting should be left on.)

When I turned this off I did notice a big difference in site speed--in google's site speed index it I saw a 5-10 point increase, which is huge. What are the real risks here with this setting off? I understand that in theory someone in a hospital who is logged in as a user might somehow get a session from another logged in user, but how likely is that? 

Could, for example, a guest, or another logged in user, somehow get my admin session? That would be more worrisome.

Last, I've heard rumors that the next version of IPB will include a defer onscreen images setting, which would be great. How likely is this to be in the next version?

Firstly, I expect that the site speed change you noticed was entirely coincidental. It is not uncommon to see 5-10 point differences when running your site through tools like the one you are referring to without making any changes at all. I do not believe that adjusting the setting you referenced would ever have any impact on measurable speed. It is literally an extremely simple string comparison (that is, unless of course everyone's IP address is changing on every single page load somehow, resulting in new sessions being recreated on each page load).

Yes, disabling it is not recommended in most cases. It would not be extremely difficult for a hacker to hijack your session if they were explicitly targeting you, in the right circumstances (e.g. you are at a coffee shop, or a hospital, or something like that).

Great, how to I sign up to the beta testing? My site rank has been tanking badly since ~ August when that ranking factor began. 

PS - I don't just run one speed test from one tool to determine if a setting like this slows things down. I generally run a minimum of 10 tests and average them. I am very confident that this setting is slowing things 5-10 points on google's speed test. Why, I cannot say.

Link to comment
