Andrew Ballard wrote: >>> Yours might be. >>> AOL users are *NOT*. >>> In peak periods, an AOL users' IP address with change with every >>> HTTP request. >> >> Surely you are joking?? Don't they use DHCP for dishing out >> addresses? I guess AOL users just have to do without https during >> peak hours :-) > > No, that's not it. The AOL users do have a consistent IP to connect to > the AOL network during a given session. However, AOL routes their > traffic through proxy servers and you may or may not get the same > proxy with each request. It does seem to be more consistent than it > used to, but to the web server, it is very possible that each request > will come from a different IP. And I don't believe AOL uses the > X-Apparently-For (or whatever that header is) either. There is some or other header that is intended for making the target server aware of proxying, but I can't remember what it is either. >> Like I said, I can live with that. If people are that paranoid, they >> shouldn't be on the internet at all, IMHO. > > It's not just paranoia over having sessions hijacked. You could still > have sensitive data leaked from query string params that have nothing > to do with the session information, not to mention some people just > don't like telling every web site where they came from. There doesn't > have to be anything nefarious. Oh, I agree with that. To me it just still comes under the paranoia heading. Wrt to "people just don't like telling every web site where they came from", that's also a fair point. Then it's up to me as a developer to determine if I can be bothered to cater to those too. Especially when it only takes 2-3 lines of apache config to deal with the 99.999% of my (less paranoid) users. > Personally, I haven't munged with my referer any, but I do think it > should be easier for users to choose whether it should be sent > regardless of which browser they are using. I think that's a fair request - how about an option for "omit REFERER when changing websites only" ? Now, where's that Firefox wishlist? /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
