Re: (jptxs) Re: Securing Passwords

Valid points, but for my task:

DCHP - IP stays the same for that session doesn't it? That's all I need.

Mobile users - the application I use it for is not designed to use mobile phones.

AFAIK, AOL is our only problem (users' requests get sent through multiple proxy servers?!?! I'm not even sure about that issue even existing - I read it somewhere, but our clients don't use AOL, so again, not an issue), It's only used to check that this session is being run from the same IP that logged in.

"IP is not a reliable method of identification in any scheme"

I agree. What I mean is that the IP is not being used to identify the user, the password does that. I only use the IP to ensure that all future requests are made using a cookie that is useless if stolen and used by another user.

But then, like I said, this is what I use. Different circumstances require different approaches. This was the best I could think of for my particular task :)

later

cLive ;-)

Comment on Re: (jptxs) Re: Securing Passwords

Replies are listed 'Best First'.
Re (tilly) 3: Securing Passwords by tilly (Archbishop) on Apr 02, 2001 at 13:16 UTC
I don't know about AOL, but I have seen companies that have constantly changing IPs. The situation where you see that is when you have a cluster of load-balanced machines working as the proxy. In that case each request from the browser is directed to a different proxy and the outside world will see the session pretty much evenly divided among several IPs. Which is why IP is not a good authentication mechanism...	[reply]
Re: Re: (jptxs) Re: Securing Passwords by dws (Chancellor) on Apr 02, 2001 at 10:11 UTC
DHCP - IP stays the same for that session doesn't it? Maybe, maybe not. My DSL times out an IP address after about 5 minutes, forcing a renegotiation. It's often the case that I'll start something in a browser window, then get distracted for a few minutes (phone call, daughter wants to play, etc.) then suffer the slight delay as my broadband router haggles for a new IP address.	[reply]
Re: (jptxs) Securing Passwords by cLive ;-) (Prior) on Apr 02, 2001 at 10:36 UTC
Thanks for insight (I'm on fixed IP). Clients are in UK are on dial-up at mo (broadband is v expensive now - c. $150pm for DSL) Something to take into account though, as this may become an issue later... :) cLive ;-)	[reply]