>>>checking amount of attempts per IP - ip can be forged
>>
>>I'm not sure what you mean by this. If an HTTP request is coming from my
>
> There's connection and reported connection IP. I remember back in the days there
> was a security bug in CFHTTP where you could 'control' the IP that was reported
> in the CGI vars.
CFHTTP acts as the client, the reporting of the remote_addr is
done by the server. So at best it displayed a bug in some server
implementation, it was not a generic mechanism to fake addresses.
Jochem
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
