|Subject:||Re: ASP authentification by ip-number|
|Posted by:||Steve Riley [MSFT] (steve.ril…@microsoft.com)|
|Date:||Sun, 27 Apr 2008|
Wrong approach. IP addresses identify machines, not humans. They are easily
spoofable, since they are always clear-text and are always unauthenticated.
Plus, with your approach, authorized users will be tied to specific
machines--they won't be able to access their information from other
User ID/password pairs are specifically designed for the scenario you've
described. Please use them.
"Ralph Wiggum" <email@example.com> wrote in message
> How safe is it to use the client's ip-number versus posting a
> username/password (in cleartext) in an http request? Assuming the client's
> ip-number is static.
> A common use-case would be a web-forum, where only VIP-users should have
> access to specific topics. Authentification by ip is certainly the most
> user-friendly, as user don't have register/remember passwords, no?
> Is ip-spoofing considered easier than picking up unencrypted
> usernames/passwords from web-traffic?
ASP authentification by ip-number posted by Ralph Wiggum on Thu, 24 Apr 2008