in reply to Re: Web based password management (or how *not* to blame tye)
in thread Web based password management (or how *not* to blame tye)
I worked on a web application that started by comparing whole IP addresses on each access, and we started to have quite a few reports of people behind proxy pools having a problem.
Backing up a bit and only checking to see if the IP is in the same /16 or /24 (checking the first two or three numbers, that is) helps, although it doesn't eliminate the problem entirely (and it really weakens the effectiveness of the test).
Checking IPs can be useful in some situations, but for large-scale applications where the "general public" will be connecting to your interface, I wouldn't recommend it.
- Matt Riffle
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Re: Re: Web based password management (or how *not* to blame tye)
by maverick (Curate) on Mar 25, 2002 at 15:49 UTC | |
by Jenda (Abbot) on Mar 26, 2002 at 23:19 UTC | |
by ejf (Hermit) on Mar 27, 2002 at 19:59 UTC | |
by Util (Priest) on Mar 28, 2002 at 01:40 UTC |