nevin at bountifulbaby.com
Mon May 4 00:19:24 UTC 2009
Ross Boylan wrote:
> On Sun, 2009-05-03 at 12:42 -0600, Nevin Pratt wrote:
>> For your app, I'd consider making your entire site use SSL, and I'd
>> consider requiring cookies. I'd also consider configuring Seaside for
>> using cookies for the session key, plus use a secondary cookie for
>> additional "branding" of your login/logout process.
> I think also I'd want to add the wrapper that only permits sessions to
> use the original IP address.
> Are there any hidden problems that my turn up with clients that are
> NAT'd or using a proxy? I suppose a multi-homed client (more likely a
> proxy) might randomly start using a different IP address.
> I wasn't familiar with branding, but with Google's help I understand.
> Thanks for mentioning it.
> Thanks to everyone who responded.
A few weeks ago when I was testing what you are suggesting (only permit
sessions to use the original IP address), I found (for example) the
following in my log file, all associated to the same session:
Look at the sequence, and you can see that somebody was changing their
IP with every request.
Now do a reverse IP lookup on any of those IP's, and what do you find?
126.96.36.199 resolves to
Top Level Domain: "aol.com"
So, I can confirm that AOL users will typically change their IP with
And, AOL isn't the only ISP I found that does this.
Yes, you certainly can use the wrapper that only permits sessions to use
the original IP address. But that will also *definitely* limit your
audience, of who can successfully use your website.
I definitely would *not* do that with an eCommerce site. I don't think
I'd do it with a banking site, either. But I *might* do it for a
specialized web app that I had complete control over the clients, though.
I personally think that the wrapper that ties the sessions to only their
original IP is a rather worthless wrapper for the vast majority of
Seaside apps. But their is a very small subset of apps that it is a
good idea for, and I think would work well for. I'm just not sure if
your app is one of those.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the seaside