Tim Starling wrote:
There's a simple, non-invasive way to determine the IP address of an AOL client,
which I've been
looking into recently: use SSL sign-on. Make the login links go to
https://secure.wikimedia.org, and
redirect them back when they're logged in. SSL requests skip the proxy cluster. We
would store the
IP address at login in the session, and then continue to use that IP address for the user
after they
return to the unsecured part of the site. And of course there are security benefits for
all users.
If that really works, couldn't we just make AOL users _edit_ over SSL?
Have http links with action=edit (or action=submit) redirect to an https
URL if fetched from an AOL proxy.
This would break talk message notification for unregistered AOL users,
but I suppose we could use a cookie for that. After all, talk pages are
public, so there's no security issue even if someone fakes the cookie.
--
Ilmari Karonen