If enable-user-remote-address-check is set to true, then Business Process Portal stores the user's remote address in that user's session. As long as the user session is valid, it expects that all the further requests from that user should come from the same remote address. It checks against each request to see if the request is coming from the same remote address, if not it treats the request as invalid and redirects the user to the url configured for redirect-url-on-attack.