-> > -----Original Message-----
-> > From: Paul Robinson [mailto:paul_at_AKITANET.CO.UK]
-> > Sent: Tuesday, October 31, 2000 9:59 AM
-> >
-> > [...]
-> > In
-> > addition I'd probably do some session-authentication with
-> > changing cookies
-> > per transaction, combined with IP authentication.
-> > [...]
->
-> IP authentication? In today's world or access through NATed firewall
-> or proxy servers, or providers like AOL, all in an Internet
-> environment increasingly becoming akamaied... uhm... cached, I
-> strongly doubt that IP authentication is viable. Take AOL users for
-> example: One request appears to be coming from proxy1.aol.com, the
-> next request from proxy3.aol.com. That would mean that your 'IP
-> authenticated' web page will invalidate the second request.
Actually, many systems allow SSL sessions to bypass the proxy (many online
services, especially banks, require a direct connections for SSL). This
makes IP-based authentication possible under that context, although not
guaranteed.
-LW
eldub_at_pobox.com
Received on Nov 01 2000
Intro
