Chris I appreciate your response but please read my post again. I did not suggest using the IP for user identification. I suggested using it as a temporary id. I went on further to suggest to use sessions to identify individual users behind a proxy server. -Kevin
----- Original Message ----- From: "Chris Shiflett" <[EMAIL PROTECTED]> To: "Kevin Stone" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, January 15, 2003 2:37 PM Subject: Re: Fw: [PHP] HTTP_REFERER work without a problem.... > --- Kevin Stone <[EMAIL PROTECTED]> wrote: > > What I suggest to you is code a solution around the IP > > address. The IP address of course, like any information > > coming from the client, can be tampered with but more > > than likely it's not going to change while the user is > > browsing your website. Right? > > Sorry to disagree, but this is incorrect. The IP address is > a terrible metric for client identification. I mean, it is > absolutely terrible. > > Yes, it is easier for a potential attacker to spoof > information at the HTTP level than the TCP/IP level, but > that is no defense. > > More (most?) importantly, there are two situations where > you will run into trouble with legitimate users who are > just trying to use your site: > > 1. The users are behind an HTTP proxy, which is a very > popular configuration for business environments. Thus, the > IP address will be that of the HTTP proxy, not the client. > Many people will appear to be the same person. > > 2. The users are behind a round-robin HTTP proxy, such as > all AOL users (a large number of Web users). One person can > appear to be many different people. > > Anyway, I hated to let that one go. Again, sorry to > disagree, but relying on an IP address for client > identification can lead to some very frustrating problems > for inexperienced developers. > > Chris > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
