Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Re^4: Identifying clients

by ruzam (Curate)
on Dec 06, 2006 at 21:28 UTC ( [id://588194]=note: print w/replies, xml ) Need Help??

in reply to Re^3: Identifying clients
in thread Identifying clients

My first reaction to this is that only helps by making the session ID 4 bytes larger (and granted more combinations to try).

But maybe I can use that in some way. If the IP contained in the session ID doesn't match the client IP, then I can immediately drop through the IP block without bothering to check for a valid session id. Maybe save a session id lookup step before dropping the client. That's good!

It doesn't do anything to prevent malicious users from inside the routed network but it looks like this is a risk I may have to live with. Maybe half a solution is better than no solution.

Replies are listed 'Best First'.
Re^5: Identifying clients
by Thelonius (Priest) on Dec 06, 2006 at 21:41 UTC
    At some places--for example where I work--there are multiple redundant HTTP proxy servers. So the IP address may be different on each request.

    This also happens (or at least used to) with AOL users.

    Plus, most people use dynamic IP addresses, which change from time to time. Even though it may be just once a month or so, the user may be confused if they suddenly have to log in again. If they're completely blocked ... well, don't do that.

      So is my only option to literally forget the whole ip blocking strategy?

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://588194]
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others rifling through the Monastery: (3)
As of 2024-07-14 20:14 GMT
Find Nodes?
    Voting Booth?

    No recent polls found

    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.