On Thu, November 10, 2005 3:08 pm, GamblerZG wrote: > Chris Shiflett wrote: >> GamblerZG wrote: >>> I think it's still reasonable to restrict a session to a single IP. >> No, it's not, for all of the reasons Richard mentioned and more. > > I agree that using only IP to identify session is bad. > Using only SID is ok. > Using SIDs that are tied to a single IP is even _more secure_, since > the > possible attacker would need to have exactly the same IP as a victim > of > session hijacking. This comes at a price of a small inconvinience for > dial-up users (since they would need to login on each reconnect), but > I > think such price it reasonable. Please pay attention. AOL *will* change the IP address of their users *IN* *THE* *MIDDLE* *OF* *A* *SESSION*. They will not be "disconnected". They will not need to re-dial. Their phone line does not change its status from "live" to "dead" They will not be logged out of AOL. Their IP address *WILL* change, just because AOL felt like it [++]. You are rendering your site un-usable by all AOL users in a big way to rely on IP address not changing in mid-session. There is *NO* standard, law, rule, nor reason for an IP address to be assumed to be consistent, even in a single session/login/phone-call. ++ I suspect that AOL has a better reason internally for doing this than "I felt like it" but they don't NEED a better reason, and the effect is the same. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
