Need further understanding between IP Surrogate and Cookie Surrogate when using Web Security Service (WSS).  

Web Security Service

IP Surrogate:

- Allows the WSS Data Pod to cache the authenticated IP for as long it is set under the "Auth refresh frequency" (if 6 months, then it will cache for 6 months before it challenge again)
- Note: if the connected users changes the IP address when he is moving around the office or if it is a dynamic DHCP instead of static IP, then this will cause inaccurate results to the WSS reporting based on IP address and username details. Imaging if "userA authenticated as IP-A, and then later userB got the IP-A after userA offline, and UserB will be seen accessing to internet via WSS VPN as userA instead"

Cookie Surrogate:

- Allows WSS Data Pod to cache the cookie surrogate and as long as the user is using the same machine and login to access to the internet via WSS VPN, there will be no further authentication challenge following the "Auth refresh frequency" that is set on the portal.
- Note: users will be asked for credentials again if the WSS VPN changes Data pod.