Tim Starling wrote:
There's a simple, non-invasive way to determine the IP address of an AOL client, which I've been looking into recently: use SSL sign-on. Make the login links go to https://secure.wikimedia.org, and redirect them back when they're logged in. SSL requests skip the proxy cluster. We would store the IP address at login in the session, and then continue to use that IP address for the user after they return to the unsecured part of the site. And of course there are security benefits for all users.
If that really works, couldn't we just make AOL users _edit_ over SSL? Have http links with action=edit (or action=submit) redirect to an https URL if fetched from an AOL proxy.
This would break talk message notification for unregistered AOL users, but I suppose we could use a cookie for that. After all, talk pages are public, so there's no security issue even if someone fakes the cookie.