Steve Crawford wrote:
You can make some modest security improvements by storing things such as the browser identification and IP address in the session data and verifying it on each request but IP verification fails if the user is behind a proxy like AOL's where each request may come from a different IP.
It'll also break with IPv6 Privacy Extensions (RFC3041), especially with fairly short connection keepalive intervals.
With Windows Vista supporting IPv6 and enabling it by default that's a significant concern. Its resolver doesn't appear to prefer IPv6 despite early documentation indicating that it would (eg: http://kame.org will prefer IPv4 to IPv6 on Vista) so it's not an urgent issue, but it bears thinking about.
It's great that PostgreSQL supports IPv6 so well, by the way. It provides me with transparent access to databases on my testing workstation from many of the networks I use day to day.
-- Craig Ringer -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
