On Fri, 5 Jul 2002, Scott Fletcher wrote: > We also use the "$_SERVER['REMOTE_ADDR'] to allow only the credit bureau > employee to log in to the administration website that is if the > employee's machine is at the credit bureau place. This help with some > security but not a full security because people outside of the credit > bureau can easily change the IP address on his/her machine or is in a > local network behind the the firewall with make up IP addreses since it > won't be used in the internet or real network.
People outside cannot change their IP addresses to those used by machines behind your firewall (unless they are in your building and your firewall is horribly misconfigured). Well, they can change them but it serves little purpose. Return traffic would not be routed to them. The best they can do is spoof those addresses, but that's a one-way street: If you pass a token, they won't receive it, so you can easily ignore them. On the other hand, the IP address issue doesn't really add any security here; it's the token. miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php