Posted by larry on 12/30/06 05:26

Jerry Stuckle wrote:

>
> VERY BAD IDEA!
>
> First of all, there are providers like AOL who have multiple servers.
> Every time a user accesses the page they may come in on a different IP
> address.
>
> And many companies have one server for the entire company (or at least a
> site). Anyone coming into your site would be coming from the same IP
> address. Since the two most likely places to intercept the packets are
> on either end of the link and you know your server's end is secure (or
> at least hope it is), this provides no protection whatsoever. Worse, it
> bugs some users while providing a false sense of security for others.

Interesting I didn't realize that the IP address could change for some
users in the middle of a session; thanks (I had got the tip from
another page a while back guess it wasn't that great of a resource.)

I guess there isn't a good verification methgod of "you are still you"
without user intervention then?

> > And other thing would be to put a time limit to the current session
> > access ( a session var with expiration time) so if some badguy got in
> > from a user abandoning a terminal with a live connection it would time
> > out regardless. (or/also maybe have a re-verification for
> > sensitive/delete/admin parts just to make sure) Just depends on how
> > paranoid you want to be.
> >
>
> This is a good idea. But then if someone stupidly leaves a computer
> signed on in a public place, there is a limit to how much you can do
> without hassling all of the other users of your site.
>
It depends on the data or value of lost/damaged data I guess. The best
solution would be to educate the end user, but sometimes it's not as
easy.

[Back to original message]