Re: ASP authentification by ip-number

Giganews Newsgroups
Subject: Re: ASP authentification by ip-number
Posted by:  Roger Abell [MVP] (mvpNoSp…
Date: Sat, 26 Apr 2008

"Ralph Wiggum" <> wrote in message
> How safe is it to use the client's ip-number versus posting a
> username/password (in cleartext) in an http request? Assuming the client's
> ip-number is static.

It's probably safer than a usr/pwd cred exchange in the clear.

> A common use-case would be a web-forum, where only VIP-users should have
> access to specific topics. Authentification by ip is certainly the most
> user-friendly, as user don't have register/remember passwords, no?

No. Yes, you are right, but after taking inital IP verified registration
and user being struck to registered IPs into account it seems that the
use-case gets pretty weak.

> Is ip-spoofing considered easier than picking up unencrypted
> usernames/passwords from web-traffic?

No in general, and certainly not for someone one a different subnet.



In response to

ASP authentification by ip-number posted by Ralph Wiggum on Thu, 24 Apr 2008