> I was thinking to use the IP Validation Whose IP address, exactly, do you plan to validate? In short any information provided by the client is completely untrustworthy. Just because you think that some trusted component sets an HTTP header does not mean it is so. Headers are ultimately under the control of the client and therefore not trusted. The only suitable implementation that comes to mind is digital signatures, which would have the burden of key distribution and management among trusted peers.
M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
