|
Jim Gallacher
jg.lists at sympatico.ca
Wed Jun 15 18:49:06 EDT 2005
Adrian Holovaty wrote: > Nick wrote: > >>Jim Gallacher wrote: >> >>>>You can use req.connection to find the users incoming IP address and >>>>save that in the session yourself for later checking. >>>> >>>>Ie., not a prepackaged check, but the bits are there for you to do it >>>>yourself in the manner you need. >>> >>>Since I'm (still) messing with the session code, maybe this is worth >>>building this into the base code now? If it is a security issue let's >>>address it and save users the worry and bother of implementing their own. > > > I'm not sure it's foolproof to assume a user's IP address will be the same > throughout a session. I seem to recall that AOL users have different IP > addresses throughout sessions, because the AOL proxies use some sort of > round-robin system. Evidence is rapidly mounting that this is a bad idea, or at least difficult to implement in a dependable way. Jim
|