|
|
Posted by Gordon Burditt on 11/02/07 00:50
>The current user, of course. Or in a word... "currency".
>While it's true a user can come from any number of IP's - they can only come
>from one per session.
Incorrect. They can have multiple IPs per page view. If, for
example, you have a main page, 3 frames, and 16 images, those
requests could come from 20 different IPs, just to view one page.
More if any redirects are involved. For reasonably short sessions,
it is possible that the user will never use the same IP twice.
Oh, yes, users in this situation (e.g. AOL users) may not be able
to turn this behavior off even if their lives depended on it. Don't
assume that all AOL users only use AOL to "hide". AOL has customers
besides spammers and scammers. And most of the SPAM and scams that
appear to come from AOL don't actually originate there.
On the other hand, very large organizations may have a single proxy
server so there may be tens of thousands of users all with the
*SAME* IP. These users probably can't turn that off, either, if
they want any Internet web access at all.
>If that changes from the time that they login to the time they do something
>secure, you gotta revalidate.
Translation: THEY CAN *NEVER* GET IN. Or at least not within a
reasonable human lifetime.
>If you don't, then you open a window for session hijackers.
>
>That's not so bad for safe data - like custom UI content and such.
>Nobody gets hurt if the session is hijacked.
>
>This is why banks still have tellers.
>Most stuff is totally safe to do at an ATM.
>Some stuff requires a more *personal* transaction.
And apparently that isn't doable via your web site. Perhaps an
in-person meeting, with 10 bodyguards with machine guns on each
side would work better.
Navigation:
[Reply to this message]
|