I'm just looking through our web logs and noticed a user who logs in and appears to be using two different IP addresses as he browses the website.
ie. some of the request for images and scripts come from a different IP to the one that requested the login page.
Under what sort of setup would this occur?
This setup is not common, but it is also less rare than you think. It's possible in some scenarios, I can think of the following:
It's something that you should definitely take into account. When I was working for a very big website I implemented a SSO (Single Sign-on) system that assumed the IP of two subsequent web requests was the same if the user was the same.
Surprisingly to me at the time, dozens of users complained of things being randomly broken, and after some investigation I discovered that all of them had more than one IP. Granted, we received millions of visitors so the percentage is very very tiny, but those people are out there and they can be "legit".
I've just seen the same situation and determined that it's due to our traffic being directed through AWS CloudFront (other CDNs are available), so that's another scenario where you might see this behavior.
Time to rethink my sticky sessions to use something other than IP address. Cookie, anyone?