in reply to Re: Re: Faking an ip?
in thread Faking an ip?

IPs are not a reliable way to distinguish users or sessions. AOL users, for instance, can use a different IP for each page request. Cookies aren't perfect, but they're better than IPs.

Credit where it's due: Merlyn made a similar post a couple days ago.

--
man with no legs, inc.

Replies are listed 'Best First'.
Re: Re: Re: Re: Faking an ip?
by sierrathedog04 (Hermit) on Jul 09, 2001 at 15:03 UTC
    ISPs and other internet providers as well can dynamically assign IP addresses using DHCP. The client machine knows its own IP address because the network tells the client.

    I have never heard of a network routinely changing its clients' IP addresses in midsession, however, and I doubt that it occurs very often.

    Cookies have the disadvantage that users can reject them and browsers can not support them. On the other hand, IP addresses are stable enough to support the session and everyone has one. It's guaranteed.

[reply]
      Not to get into a flame war (besides, that's a cute photo of you and your dog), but IMHO you're completely wrong. Using IPs for session information is only "guaranteed" to fuck you.

      First point: proxy servers. Many people can share what appears to your script to be the same IP. What if I administer 1,000 machines, all loaded with the same configuration, routed out one proxy server? And what if two of them visit your site? Your session information is toast, and you won't even know it.

      If a browser doesn't support cookies, or rejects them outright, you know right away. Writing cookie-detection scripts in Perl and/or JavaScript is not difficult. You can program your script to respond to that event by using a different scheme or rejecting the request. No such logic is possible with IPs.

      And using IPs as supplemental information with other environmental variables won't help either: if you have an unknown quantity and add it to a known, your result is still unknown, and you have no reason to believe otherwise.

      Granted, no scheme is totally uncrackable. But I think IPs are less secure than most.
      --
      man with no legs, inc.

[reply]
        The initial matter that I was referring to was whether an IP address is likely to change in the middle of a session, and I get the impression that it will not change. An AOL user would probably have to log off AOL and then log back on again to get a new IP address.

        However, IP may be deficient for certain types of session management schemes even if there are no proxy servers involved. For instance, what if I log onto a website twice concurrently from the same machine?

        It is surprising to me that cookies need to be used in session management for anything more than caching a password, but apparently a lot of people are using them.

        I am glad you like the dog picture on my website. It is actually a picture of me with my new French girl friend Fanette who I met in Brittany last year. Fanette is a purebred dachshund whereas my companion Sierra the Dog is half doxey.

[reply]
Re: Re: Re: Re: Faking an ip?
by orkysoft (Friar) on Jul 09, 2001 at 13:45 UTC
    I know that. That's why the IP addresses aren't considered by the program. It uses cookies, but if necessary, I can examine the logs myself, which do contain IPs. It tries to look through proxies by reading the X_HTTP_FORWARDED_FOR header (and soon also those other headers :-), to record the 'real' IP (or as much as that's possible), just in case someone would be trying to 'cheat'.
[reply]

In Section Seekers of Perl Wisdom