Jason Wong wrote: > On Thursday 04 July 2002 09:09, Chris Shiflett wrote: > > >>As a caveat to Mr. Serra's suggestion, remember that there are *many* >>users who will go through an IP masquerading gateway or proxy, so their >>IP may fluctuate, even though they are actively browsing. For this >>reason, it is often necessary to tolerate some fluctuation in the IP >>address, perhaps only in the last octet though. > > > This can be self-defeating in that an attacker in the same network segment of > the user is probably in the best position to sniff and hijack the session > that you're trying to protect. Allowing this leeway makes the attacker's job > much easier! >
That's true. And since I am making a core structure that has to be shared by users having different security needs I guess I better leave this configurable just as the time-out interval. So local admins may decide on their own which level of security they want to apply to their sites. Thanks for helping :)) Alberto Kiev -- @-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@ LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu? lOrD i'M sHiNiNg... YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE tHe TeSt, YeS iT iS ThE tEsT, yEs It Is tHe TeSt, YeS iT iS ThE tEsT, yEs It Is....... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php