Steve Crawford wrote:
> You can make some modest security improvements by storing things such as
> the browser identification and IP address in the session data and
> verifying it on each request but IP verification fails if the user is
> behind a proxy like AOL's where each request may come from a different IP.
It'll also break with IPv6 Privacy Extensions (RFC3041), especially with
fairly short connection keepalive intervals.
With Windows Vista supporting IPv6 and enabling it by default that's a
significant concern. Its resolver doesn't appear to prefer IPv6 despite
early documentation indicating that it would (eg: http://kame.org will
prefer IPv4 to IPv6 on Vista) so it's not an urgent issue, but it bears
thinking about.
It's great that PostgreSQL supports IPv6 so well, by the way. It
provides me with transparent access to databases on my testing
workstation from many of the networks I use day to day.
--
Craig Ringer
