Thanks! I only knew about the HTTP_X_FORWARDED_FOR, and never really bothered to find out more, but this can certainly provide me with more accuracy for my program, which uses IPs as a backup method to distinguish between various users (cookies being the primary method).
Re: Re: Faking an ip?
Replies are listed 'Best First'.
ISPs and other internet providers as well can dynamically assign IP addresses using DHCP. The client machine knows its own IP address because the network tells the client.
I have never heard of a network routinely changing its clients' IP addresses in midsession, however, and I doubt that it occurs very often.
Cookies have the disadvantage that users can reject them and browsers can not support them. On the other hand, IP addresses are stable enough to support the session and everyone has one. It's guaranteed.
Not to get into a flame war (besides, that's a cute photo of you and your dog), but IMHO you're completely wrong. Using IPs for session information is only "guaranteed" to fuck you.
First point: proxy servers. Many people can share what appears to your script to be the same IP. What if I administer 1,000 machines, all loaded with the same configuration, routed out one proxy server? And what if two of them visit your site? Your session information is toast, and you won't even know it.
And using IPs as supplemental information with other environmental variables won't help either: if you have an unknown quantity and add it to a known, your result is still unknown, and you have no reason to believe otherwise.
Granted, no scheme is totally uncrackable. But I think IPs are less secure than most.
-- man with no legs, inc.