Well, the website use both port 80 and port 443. The public access the
website freely, so blocking them is not an option beside they don't know the
true IP address behind the firewall for them to access the administration
website. We don't have Intranet for the administration website to be used.
"Miguel Cruz" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> On Fri, 5 Jul 2002, Scott Fletcher wrote:
> > We also use the "$_SERVER['REMOTE_ADDR'] to allow only the credit bureau
> > employee to log in to the administration website that is if the
> > employee's machine is at the credit bureau place. This help with some
> > security but not a full security because people outside of the credit
> > bureau can easily change the IP address on his/her machine or is in a
> > local network behind the the firewall with make up IP addreses since it
> > won't be used in the internet or real network.
> People outside cannot change their IP addresses to those used by machines
> behind your firewall (unless they are in your building and your firewall
> is horribly misconfigured). Well, they can change them but it serves
> little purpose. Return traffic would not be routed to them.
> The best they can do is spoof those addresses, but that's a one-way
> street: If you pass a token, they won't receive it, so you can easily
> ignore them.
> On the other hand, the IP address issue doesn't really add any security
> here; it's the token.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php