Posted by Sanders Kaufman on 11/02/07 20:15

"Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
news:A6adnVQvS9E3r7fanZ2dnUVZ_o_inZ2d@comcast.com...
> Sanders Kaufman wrote:

>> The current user, of course. Or in a word... "currency".
>> While it's true a user can come from any number of IP's - they can only
>> come from one per session.
>
> Wrong. Each request may come from a different IP - for instance, if they
> have multiple proxies running in parallel. AOL is an example.

Yeah - that's why AOL users have so many problems with so many otherwise
secure sites.

Trying to *authenticate* a user through a proxy network that, as one of it's
marketing tools, advertises the fact that it MASQUES the user's identity is
not just difficult - it's insane. It can be done - but man, oh man, what a
complex task!

I had one customer, many many years ago, who came up with an idea of texting
a password to a users cell phone.
That one worked pretty good through proxies and it was simple - although, it
wasn't very scalable.

>> If that changes from the time that they login to the time they do
>> something secure, you gotta revalidate.
>> If you don't, then you open a window for session hijackers.
>
> Revalidate on every request?

Sometimes, it could work out that way.
But no - just if the cookie that was sent to one IP shows up as coming from
another.
And even then - only if they try to access secure data.
For the UI's Remember Me - I don't check the IP.

[Back to original message]