Jake Brain wrote:
> Curious to hear from other developers who maintain session with client ip address
>and had to deal with aol users getting invalid sessions - since aol rotates ip
>addresses. How did you solve the problem, any ideas.
>
The simple answer is, you cannot depend on client IP addresses for Internet
applications. Even if the IP address is not being rotated, it will generally be the
IP address of a firewall or proxy server anyway -- so
you still cannot tell which individual PC inside the firewall originated the request.
Indeed, the PC itself may not even *have* a real IP address -- it might be using the
reserved Intranet address ranges (with the
gateway providing address translation), or it might even be running a non-IP protocol
internally (with the gateway providing protocol translation as well).
This is one of the reasons why the standard session management support in the servlet
spec uses cookies or URL rewriting, not client IP addresses, as the basis for session
identification.
Craig McClanahan
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00): Sun Technical Briefing
Session T06 (24-Oct 14h00-15h00): Migrating Apache JServ
Applications to Tomcat
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
