On 9/20/07, Chris Bennett <[EMAIL PROTECTED]> wrote: > > As an aside, is anyone talking about seriously using this for access > control? We've established that using X-F-F is a bad idea for that, in > fact, I'd say that even known REMOTE_ADDR based auth is a bad idea, so > why does it matter whether it is "trustworthy"? >
Access control and auth are not the same. django.contrib.comments uses REMOTE_ADDR to log the ip address of someone submitting a comment. I've seen other Django apps do similar things (i.e. throttling poll submissions per ip address). This is a form of weak access control and useful if you can reasonably trust REMOTE_ADDR. See my last post to Leo's comment about not following x-forwarded-for headers for better reliability on this. And true, any form of IP-based auth is insane. Cheers, deryck Cheers, deryck --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
