July 11, 2021

Why don’t websites kick you out when you change VPN location during a session?

Hi cybersecurity folks,

So this is a theoretical question that I’ve always wondered about.

If I:

* Log into Reddit (from my home IP).
* Turn on my VPN and tunnel through … IDK… let’s say the UK.
* Verify that I’m geolocating through the UK
* Refresh Reddit …

Nothing happens. I can continue browsing the site.

I can then repeat the process and change to any other VPN endpoint. No warning is triggered. I’m not automatically logged out and prompted to go through 2FA again.

What I don’t understand:

It would obviously be (physically) impossible to change from where I live to another country to another country in the space of a few seconds. And if the TOS of platforms restrict you to not sharing credentials…wouldn’t there be like no legitimate reason for this activity to take place from the perspective of these platforms?

Ie, I would have thought that from the perspective of your average social network the activity would almost certainly look suspicious / potentially malicious.

What I’m thinking: do websites like Reddit (/Facebook/etc) subscribe to a list of known commercial VPN provider IP ranges? So they can see that I’m moving around between endpoints on the same VPN?

Curious how this all works and how sites are able to distinguish between potentially malicious login attempts and ones that represent innocuous user activity.



I don’t really know, but I’m sure websites know people use VPNs.

Websites would not think that you are sharing credentials, because you don’t need to re-login, therefore it should be the same user.
They can also tell it’s the same user because
– Same browser
– Same cookies
– Same screen resolution

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.