Re: ASP authentification by ip-number

Giganews Newsgroups
Subject: Re: ASP authentification by ip-number
Posted by:  Steve Riley [MSFT] (…
Date: Sun, 27 Apr 2008

Wrong approach. IP addresses identify machines, not humans. They are easily
spoofable, since they are always clear-text and are always unauthenticated.
Plus, with your approach, authorized users will be tied to specific
machines--they won't be able to access their information from other

User ID/password pairs are specifically designed for the scenario you've
described. Please use them.

Steve Riley…

"Ralph Wiggum" <> wrote in message
> How safe is it to use the client's ip-number versus posting a
> username/password (in cleartext) in an http request? Assuming the client's
> ip-number is static.
> A common use-case would be a web-forum, where only VIP-users should have
> access to specific topics. Authentification by ip is certainly the most
> user-friendly, as user don't have register/remember passwords, no?
> Is ip-spoofing considered easier than picking up unencrypted
> usernames/passwords from web-traffic?


In response to

ASP authentification by ip-number posted by Ralph Wiggum on Thu, 24 Apr 2008