AOL uses load balancing proxy servers which means every new page load could come from a different IP address.
A quick google search brought up this article that mentions it: http://surfaid.dfw.ibm.com/web/home/whitepapers/weblog.html Read the section on 'Effects of Dynamically Changing IP addresses' Justin Garrett "Justin French" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I haven't heard about address' changing midway through a session (ie, > without reconnecting), but it's worth pointing out that there will be a few > other reasons why this isn't a good idea: > > 1. if they have to reconnect, they're near guaranteed to have a new IP > > 2. with most big ISPs, all users may *appear* to have the same IP... so any > of them could hijack the session? > > The only way to test if IPs ARE changing is to get/borrow an AOL account, > and create a page which you can refresh 30 times over an hour, looking at > the IP address' each time. That should confirm/deny the problem. > > But I wouldn't be relying on a remote IP for anything... they're too > unreliable. > > > Justin French > > > > on 29/08/02 7:29 AM, Joseph Szobody ([EMAIL PROTECTED]) wrote: > > > In a portion of a website, I have implemented user authentication and > > management using sessions. When a user first logs in, the $REMOTE_ADDR is > > stored is a session variable SESSION['ip']. On each of the protected pages, a > > header.php is included with the following code: > > > > if ($SESSION['ip'] != $REMOTE_ADDR){ > > header("Location: error.php?err=2"); > > die; > > } > > > > As you can see, this is an attempt to see if someone is trying to hijack a > > session. The problem is, AOL doesn't like this. Whenever an AOL user logs into > > the website, the session starts successfully, but when the user goes to a > > protected page, he's redirected to error.php?err=2. For some reason, the IP > > address appears to be changing. > > > > Is this a known issue with AOL? Is the IP really changing from page to page? > > That seems weird. Any way around this, or must I stop using this security > > approach? > > > > Thanks, > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
