Re: ASP authentification by ip-number

Giganews Newsgroups
Subject: Re: ASP authentification by ip-number
Posted by:  Steve Riley [MSFT] (steve.ril…@microsoft.com)
Date: Sun, 27 Apr 2008

Wrong approach. IP addresses identify machines, not humans. They are easily
spoofable, since they are always clear-text and are always unauthenticated.
Plus, with your approach, authorized users will be tied to specific
machines--they won't be able to access their information from other
computers.

User ID/password pairs are specifically designed for the scenario you've
described. Please use them.

--
Steve Riley
steve.ril…@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

"Ralph Wiggum" <go.ahead@spam.me> wrote in message
news:TtSdnRagFNDlTI3VRVnzv…@telenor.com...
> How safe is it to use the client's ip-number versus posting a
> username/password (in cleartext) in an http request? Assuming the client's
> ip-number is static.
> A common use-case would be a web-forum, where only VIP-users should have
> access to specific topics. Authentification by ip is certainly the most
> user-friendly, as user don't have register/remember passwords, no?
>
> Is ip-spoofing considered easier than picking up unencrypted
> usernames/passwords from web-traffic?

Replies

In response to

ASP authentification by ip-number posted by Ralph Wiggum on Thu, 24 Apr 2008