- From: Thomas Hurst <tom.hurst@clara.net>
- Date: Tue, 27 Nov 2001 19:40:10 +0000
- To: www-html@w3.org
* Jens Müller (jens@unfaehig.de) wrote: > Thomas Hurst <tom.hurst@clara.net> writes: > > > Hence, how Amazon always asks for a password before you do anything. IP > > tracking and restrictive login timeouts should take care of forms. > > IP tracking over proxies with multiple output IPs? Check for an X-Forwarded-For:, if not, check for a Via: and if it's there disable the IP check, or just check for the same class C network. > Restrictive login timeouts? How short should they be then? 10 seconds? However long you feel's acceptable for someone to fill out a form or two. Personally I'd make sure each URI is one time only - allocate a unique id for each page and remove it once it's been accessed - that way anything that appears in a referer header can't be used again. -- Thomas 'Freaky' Hurst - freaky@aagh.net - http://www.aagh.net/
Received on Tuesday, 27 November 2001 14:40:14 UTC