On Sep 23, 10:17 pm, "Robert Coup" <[EMAIL PROTECTED]> wrote: > then when you get a form submission, base64-decode it, split at "/", check > the hash matches by recalculating it, then use the proximity-to-timestamp > and the remote_addr to check the form validity.
Anything that relies on remote_addr is flawed, because IP addresses change all the time. I frequently load up a Google Groups thread on my laptop, compose a reply on the train to work and submit it when I get there - and since I've moved networks my IP address changes in between loading the form and submitting it. There's also the risk of proxies that load balance traffic through different IP addresses, not to mention IP addresses that are shared by many people (including a potential attacker). Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
