--- Kevin Stone <[EMAIL PROTECTED]> wrote: > What I suggest to you is code a solution around the IP > address. The IP address of course, like any information > coming from the client, can be tampered with but more > than likely it's not going to change while the user is > browsing your website. Right?
Sorry to disagree, but this is incorrect. The IP address is a terrible metric for client identification. I mean, it is absolutely terrible. Yes, it is easier for a potential attacker to spoof information at the HTTP level than the TCP/IP level, but that is no defense. More (most?) importantly, there are two situations where you will run into trouble with legitimate users who are just trying to use your site: 1. The users are behind an HTTP proxy, which is a very popular configuration for business environments. Thus, the IP address will be that of the HTTP proxy, not the client. Many people will appear to be the same person. 2. The users are behind a round-robin HTTP proxy, such as all AOL users (a large number of Web users). One person can appear to be many different people. Anyway, I hated to let that one go. Again, sorry to disagree, but relying on an IP address for client identification can lead to some very frustrating problems for inexperienced developers. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
