Posted by Sanders Kaufman on 11/01/07 19:27

"Michael Fesser" <netizen@gmx.de> wrote in message
news:o98ki3dchotv9gpk4j6g627nn47or7249k@4ax.com...
> .oO(Sanders Kaufman)

>>You *have* to rely on IP's in the identification process
>
> A single user can have a dozen IPs and a dozen users can have the same
> IP. What do you want to identify there?

The current user, of course. Or in a word... "currency".
While it's true a user can come from any number of IP's - they can only come
from one per session.

If that changes from the time that they login to the time they do something
secure, you gotta revalidate.
If you don't, then you open a window for session hijackers.

That's not so bad for safe data - like custom UI content and such.
Nobody gets hurt if the session is hijacked.

This is why banks still have tellers.
Most stuff is totally safe to do at an ATM.
Some stuff requires a more *personal* transaction.

[Back to original message]