On 3 Jun 2006, at 17:03, Clint M. Sand wrote: > So all I have to do is *TRY* to login as you on another machine and > your > original legit connection is dropped? > > Think about this.
Only successful logins would update the IP associated with that login. Failed login attempts would do nothing. Sorry, my wording was a little unclear, what I actually meant was a successful login from a second machine would kick the first login off, as the most recent IP would be the one associated with that client. If the first client successfully logged in again, that would kick the second login off. The best I can do against somebody trying to use a stale IP is to check the MAC address that the successful login came from against what it claims to be at the time. Any mis-match and the IP is kicked off. If people want to go to the effort of spoofing a MAC address and finding a stale IP to use, there's little I can do. Being that this is a service intended for the general public, I'm reckoning that 99.9% of users won't even know that a MAC could be spoofed, or know how to do it. I suppose I could take it one step further and get a tcp OS fingerprint of the client at login time, and use that as a further aid to checking that the person that logged in is the person currently using this IP address. Is there any way to protect against this? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
