On Fri, 5 Jul 2002, Scott Fletcher wrote:
> We also use the "$_SERVER['REMOTE_ADDR'] to allow only the credit bureau
> employee to log in to the administration website that is if the
> employee's machine is at the credit bureau place.  This help with some
> security but not a full security because people outside of the credit
> bureau can easily change the IP address on his/her machine or is in a
> local network behind the the firewall with make up IP addreses since it
> won't be used in the internet or real network.

People outside cannot change their IP addresses to those used by machines
behind your firewall (unless they are in your building and your firewall
is horribly misconfigured). Well, they can change them but it serves
little purpose. Return traffic would not be routed to them.

The best they can do is spoof those addresses, but that's a one-way 
street: If you pass a token, they won't receive it, so you can easily 
ignore them.

On the other hand, the IP address issue doesn't really add any security 
here; it's the token.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to