|Subject:||Re: ASP authentification by ip-number|
|Posted by:||Roger Abell [MVP] (mvpNoSp…@asu.edu)|
|Date:||Sat, 26 Apr 2008|
"Ralph Wiggum" <email@example.com> wrote in message
> How safe is it to use the client's ip-number versus posting a
> username/password (in cleartext) in an http request? Assuming the client's
> ip-number is static.
It's probably safer than a usr/pwd cred exchange in the clear.
> A common use-case would be a web-forum, where only VIP-users should have
> access to specific topics. Authentification by ip is certainly the most
> user-friendly, as user don't have register/remember passwords, no?
No. Yes, you are right, but after taking inital IP verified registration
and user being struck to registered IPs into account it seems that the
use-case gets pretty weak.
> Is ip-spoofing considered easier than picking up unencrypted
> usernames/passwords from web-traffic?
No in general, and certainly not for someone one a different subnet.
ASP authentification by ip-number posted by Ralph Wiggum on Thu, 24 Apr 2008