Jason Wong wrote:
> On Thursday 04 July 2002 09:09, Chris Shiflett wrote:
>
>
>>As a caveat to Mr. Serra's suggestion, remember that there are *many*
>>users who will go through an IP masquerading gateway or proxy, so their
>>IP may fluctuate, even though they are actively browsing. For this
>>reason, it is often necessary to tolerate some fluctuation in the IP
>>address, perhaps only in the last octet though.
>
>
> This can be self-defeating in that an attacker in the same network segment of
> the user is probably in the best position to sniff and hijack the session
> that you're trying to protect. Allowing this leeway makes the attacker's job
> much easier!
>
That's true. And since I am making a core structure that has to be
shared by users having different security needs I guess I better leave
this configurable just as the time-out interval. So local admins may
decide on their own which level of security they want to apply to their
sites.
Thanks for helping :))
Alberto
Kiev
--
@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
