Thanks! That's a good idea. Just as an example, here are several IPs that seemed to be the same client. The user agent, referer, etc. were all the same and the IPs resolve to the same top-level domain.
205.228.12.236 205.228.12.151 205.228.12.254 On Mon, Oct 12, 2009 at 5:52 PM, Paul Silevitch <p...@silevitch.com> wrote: > Also, requests that go through a proxy can appear to come from different IP > addresses from hit to hit (or visit to visit). Usually, proxies will put > the real IP as the first IP in the X-Forwarded-For header. > > HTH, > > Paul > > > On Mon, Oct 12, 2009 at 6:43 PM, Douglas Sims <ratsb...@gmail.com> wrote: > >> >> We're starting to get some data now and I'm seeing a few minor problems >> with the implementation of the idea. >> >> Here's one: if a request arrives with a cookie that is associated with a >> different IP address then we create a new session entry and send a new >> cookie. I'm noticing that some users have IP addreses that change very >> frequently. This seems particularly likely with mobile devices. We're >> going to have to tweak the algorithm a bit to track activity across those >> requests - or use some attribute of the IP address instead of just the IP >> address - to trigger rotation of the session identity. >> >> >> >> >> >> >> On Sun, Oct 11, 2009 at 10:19 AM, Randal L. Schwartz < >> mer...@stonehenge.com> wrote: >> >>> >>>>> "Douglas" == Douglas Sims <ratsb...@gmail.com> writes: >>> >>> Douglas> I've tried to follow the philosophy that Randal Schwartz >>> described in >>> Douglas> a recent thread here - a cookie is just a serial number for a >>> Douglas> browser. By rotating the cookies often we're hoping to avoid >>> Douglas> problems with stolen or leaked sessions and by storing the >>> previous >>> Douglas> session id (if there is one) with every new session we're >>> planning to >>> Douglas> be able to build a linked list of session activity which we can >>> Douglas> correlate with specific users who log in at any part of that >>> linked >>> Douglas> list. >>> >>> That's an interesting idea... brand the browser, but rotate it from time >>> to >>> time, maintaining a list. Thanks for suggesting that... I'll have to >>> explore >>> that in some future project. >>> >>> -- >>> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 >>> 0095 >>> <mer...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/> >>> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. >>> See http://methodsandmessages.vox.com/ for Smalltalk and Seaside >>> discussion >>> >> >> >
