in reply to Re: Re: Changing website prices based on client? (keywd: Web Software Engr)
in thread Changing website prices based on client? (keywd: Web Software Engr)
Good points. I guess I should have mentioned more about security of each method.
REMOTE_ADDR and REMOTE_HOST are pretty safe since they come from the sockaddr struct that relates to the connection, so you are somewhat succeptible to a man-in-the-middle attack if the sender can spoof the IP address and catch the return packets (assuming that there is no TCP sequence number bug that allows him to predict the excact set of packets to send from elsewhere). Of course you are succeptible to a DNS attack if the attacker can spoof the reverse IP address lookup, and DNS is notoriously unsafe.
Storing the ID on each page is relatively safe iff (sic) the discount ID refers to a token ID stored in the DB that is generated randomly (assuming your random number generator is sufficiently random) from a large search space. Really cookies and hidden form variables are equivalent since they are both submitted on each request and the user can munge them both. Since this is discounts you have to decide if you want the user to log in to the site.
Personally I despise logging in until I am actually ready to order. It might be more productive for a site to give a 5% discount to a handful more people if they get more sales in general. Remember that stores often see 30 - 60% markups so they are making a profit even if they offer substantial discounts.