Do the majority of providers attempt to route connections to a common public IP in order to maintain compatibility with websites like ours, or should I consider restricting sessions to an IP range instead?

Short answer: IP addresses have no relationship to a user’s identity. Furthermore, you cannot accurately predict what address, or block of addresses will be assigned to a user.

Longer answer:
IP addresses change constantly in mobile environments, and they even change infrequently for wireline customers.

Since you are essentially using an IP address to map to the user’s identity, the algorithm is indeed broken as you suspected. It does not matter whether you managed to make this work successfully in the past; that success was a reflection of a limited sample size, and not the result of good design.

Abstracting into provider-specific address ranges are an inadequate workaround for the problem. You will spend substatial time quantifying the address ranges used by providers; and certainly find frustration after a client steps on a plane, then later reautheticates hundreds of miles from previous attempts (usually resulting in a completely new address block from the mobile provider). Further complicating this issue will be the almost seamless use of IPv4 / IPv6 / tunneling between IPv4&IPv6 for some providers as they try to manage the limited IPv4 address space. In short, there is no guarantee that the same user will always receive the same IP address, or that the address they have is in a 100% predictable address block.

I’m not sure is it a need to tight the IP address to the specific user, unless you need the verification during online payment transaction or other critical operation. If you are going to store it permanently, it make no sense as the IP was dynamic.

Furthermore, if you talking about mobile IP, they are high frequent changer – the IP keep changing when you move around. You may try it out at any geo tracking site, e.g. http://www.ip2location.com, check your IP while you move around.

I faced a similar problem recently with a system I had designed. For security, upon logging in the user was assigned a hash, which was stored in a cookie. This was then verified against the record in the database on each request, and compared with their IP address to ensure it was the same user.

This worked fine for years, but as the users began to access the system via mobiles (or a laptop using a 3G dongle) they began to encounter problems.

In order to preserve battery life, mobiles will connect, download the web page, then close the connection. When the user clicks on a link, the mobile will then reconnect, download the page and close the connection again. As a result each request will have a different IP address. The same will happen if using a laptop over a 3G dongle, in this case there is often a setting in the properties to stop this behaviour, but very few if any users will have changed this away from the default behaviour.

As such it is no longer feasible to rely on the IP address to verify a users identity. I have since re-written the application to move this restriction.

As Mike pointed out above.It is better not to restrict IP Address or a map an ip address
to a user’s identity

Both wired and wireless internet service providers give their customers a dynamic ip addresses or static ip addresses .
All internet service providers do not provide static ip addresses to their customers.
some providers provide static ip addresses and some do not provide static ip addresses.