Re: How to build a web application the right way


Jerry Stuckle wrote:


VERY BAD IDEA!

First of all, there are providers like AOL who have multiple servers.
Every time a user accesses the page they may come in on a different IP
address.

And many companies have one server for the entire company (or at least a
site). Anyone coming into your site would be coming from the same IP
address. Since the two most likely places to intercept the packets are
on either end of the link and you know your server's end is secure (or
at least hope it is), this provides no protection whatsoever. Worse, it
bugs some users while providing a false sense of security for others.

Interesting I didn't realize that the IP address could change for some
users in the middle of a session; thanks (I had got the tip from
another page a while back guess it wasn't that great of a resource.)

I guess there isn't a good verification methgod of "you are still you"
without user intervention then?

And other thing would be to put a time limit to the current session
access ( a session var with expiration time) so if some badguy got in
from a user abandoning a terminal with a live connection it would time
out regardless. (or/also maybe have a re-verification for
sensitive/delete/admin parts just to make sure) Just depends on how
paranoid you want to be.


This is a good idea. But then if someone stupidly leaves a computer
signed on in a public place, there is a limit to how much you can do
without hassling all of the other users of your site.

It depends on the data or value of lost/damaged data I guess. The best
solution would be to educate the end user, but sometimes it's not as
easy.

.