> What about binding the session on an IP address? As I wrote the last > time I don't like cookies (security problem if somebody does > not logout > explicitely). For link rewriting you have the problem above. > So why not > testing server side if the login for a specific session was > done using > the same IP as the current request. The friend who got the > copied link > has not a valid IP/sessionid combination - and has to login itself.
i think this is a bad idea because some corporate infrastructures may route requests from the same machine through different NAT firewalls. we discovered this problem when our load balancers had their session affinity set to the same IP. we had to change the session affinity to encompass all requests from the same class C network. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
