Jason Wong wrote:
> On Thursday 04 July 2002 09:09, Chris Shiflett wrote:
>>As a caveat to Mr. Serra's suggestion, remember that there are *many*
>>users who will go through an IP masquerading gateway or proxy, so their
>>IP may fluctuate, even though they are actively browsing. For this
>>reason, it is often necessary to tolerate some fluctuation in the IP
>>address, perhaps only in the last octet though.
> This can be self-defeating in that an attacker in the same network segment of 
> the user is probably in the best position to sniff and hijack the session 
> that you're trying to protect. Allowing this leeway makes the attacker's job 
> much easier!

That's true. And since I am making a core structure that has to be 
shared by users having different security needs I guess I better leave 
this configurable just as the time-out interval. So local admins may 
decide on their own which level of security they want to apply to their 

Thanks for helping :))



LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to