> > > my point > > was that this solves the problem of using the ip address in > the md5 hash > > when the client is behind a proxy server. > > This does not solve the problem: IP address of users behind > Proxy is not > unique. The User Agent is not unique either. Using User Agent solves > nothing, and is in fact far less secure, since the client can > set the User > Agent header to be just about anything. At least the IP > address has to be > correct (but not unique) if the client wants to get a response.
the IP address is really a poor choice if I understand AOL and other large-scale proxies enough - they use a round-robin IP scheme where multiple requests _from the same user_ can appear as different IP addresses. the cool thing about the MD5 hashing scheme is that any would-be hacker needs to know the fields you are hashing in order to have a chance at creating a like hash. so, if you use stuff transmitted in the clear (like username, sessionid, some bogus piece of info not used, and MD5 hash) as well as other stuff obtainable from the transaction (like user-agent, protocol, method, accept header) and combine some random form of these (along with a server-side-only secret) the hash should be reasonably secure. this is kind of how digest authentication works (except there the algorithm is published, so you know the parameters involved). --Geoff
