Richard Lynch wrote: >>> It CANNOT be tied to the IP address, because most users' IP >>> addresses are not static. >> >> I think it is for the duration of the session. Mine certainly is. > > Yours might be. > AOL users are *NOT*. > In peak periods, an AOL users' IP address with change with every HTTP > request. Surely you are joking?? Don't they use DHCP for dishing out addresses? I guess AOL users just have to do without https during peak hours :-) > Further, large corporate users will ALL appear as a single IP address. Yes, that's assuming they're using NAT - which many small and large entities will be, I agree. In such cases, if the session id _is_ somehow tied to the IP-address, any attempt to hijack the session from outside the NAT'ed network will fail. >> Regardless, I did some googling and read a bit about session >> hijacking and such. I still don't see much of a serious problem. >> When Firefox switches off REFERER by default, we can talk again. > > Suppose only 0.1% of the Internet users have REFERER off. > > You say "That's not much. 0.1%" > > Now suppose there are a billion people who use the Internet. > > What is 0.1% of a billion? > > Do the math. 10million. But what I said was that _maybe_ 0.00X% have REFERER switched off - and 0.001% of 1billion is 10.000 people. I can live with that. > If you have even a few thousand visitors, you are likely getting at > least a few that have no REFERER... Like I said, I can live with that. If people are that paranoid, they shouldn't be on the internet at all, IMHO. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
