On Fri, July 8, 2005 11:25 am, Ezra Nugroho said:
>
> Here is one security measure that you HAVE to do if you allow people to
> submit contents to your site.
>
> 1. track client's IP.
> 2. Associate sensitive cookies with the IP, if they don't match, ignore
> it or invalidate the cookie.
>
> We may not stop the information redirection.
> We can make the information invalid.

NO!!!

IP is *USELESS* as identification!

AOL users change IP more often than drummers change their underwear.

EVERY user working at IBM is gonna have the *same* IP address.

You will only break your site for legitimate users, and not make anything
useful to stop Bad Guys.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to