On Jan 31, 2008 2:24 PM, Per Jessen <per@xxxxxxxxxxxx> wrote: > Richard Lynch wrote: > > >>> It CANNOT be tied to the IP address, because most users' IP > >>> addresses are not static. > >> > >> I think it is for the duration of the session. Mine certainly is. > > > > Yours might be. > > AOL users are *NOT*. > > In peak periods, an AOL users' IP address with change with every HTTP > > request. > > Surely you are joking?? Don't they use DHCP for dishing out addresses? > I guess AOL users just have to do without https during peak hours :-) No, that's not it. The AOL users do have a consistent IP to connect to the AOL network during a given session. However, AOL routes their traffic through proxy servers and you may or may not get the same proxy with each request. It does seem to be more consistent than it used to, but to the web server, it is very possible that each request will come from a different IP. And I don't believe AOL uses the X-Apparently-For (or whatever that header is) either. > Like I said, I can live with that. If people are that paranoid, they > shouldn't be on the internet at all, IMHO. It's not just paranoia over having sessions hijacked. You could still have sensitive data leaked from query string params that have nothing to do with the session information, not to mention some people just don't like telling every web site where they came from. There doesn't have to be anything nefarious. Personally, I haven't munged with my referer any, but I do think it should be easier for users to choose whether it should be sent regardless of which browser they are using. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
