Sorry, this isn't strictly apache related, but this seems like a good place to find HTTP expertise and insight. I'm just wondering if ip-address-spoofing is of concern with HTTP in general? Specifically, I'm using server side sessions and "authenticating" them against IP address. By this I mean I'm just verifying each time the session id is sent by the client (in the query string or in a cookie) that it's from the same IP-address as the one that initiated the session to make sure someone hasn't hijacked another person's session. So my question is just whether or not someone could possibly spoof their IP-address in an HTTP request? I believe they would not be able to get a response from the server with a spoofed IP address, but if they were, for instance, just trying to submit a form using someone else's session, then they wouldn't require an HTTP response. However, they would still need to participate in the TCP handshake, correct? So it seems to me that ip-spoofing is NOT a concern for HTTP over TCP, but I would like to hear from someone who actually knows or can offer any additional insight. Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx