Posted by Jerry Stuckle on 11/01/07 20:09

Sanders Kaufman wrote:
> "Michael Fesser" <netizen@gmx.de> wrote in message
> news:o98ki3dchotv9gpk4j6g627nn47or7249k@4ax.com...
>> .oO(Sanders Kaufman)
>
>>> You *have* to rely on IP's in the identification process
>> A single user can have a dozen IPs and a dozen users can have the same
>> IP. What do you want to identify there?
>
> The current user, of course. Or in a word... "currency".
> While it's true a user can come from any number of IP's - they can only come
> from one per session.
>

Wrong. Each request may come from a different IP - for instance, if
they have multiple proxies running in parallel. AOL is an example.

> If that changes from the time that they login to the time they do something
> secure, you gotta revalidate.
> If you don't, then you open a window for session hijackers.
>

Revalidate on every request?

> That's not so bad for safe data - like custom UI content and such.
> Nobody gets hurt if the session is hijacked.
>
> This is why banks still have tellers.
> Most stuff is totally safe to do at an ATM.
> Some stuff requires a more *personal* transaction.
>
>
>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]