Hi ruzam,

In Re^6: Identifying clients you asked "So is my only option to literally forget the whole ip blocking strategy?" - I think the answer to this is yes.

If your application is trying to protect against unauthorised access from Internet users (as opposed to Intranet access) then the client IP is not a valid criteria to identify them by anyway.

At the moment I accessing the Net via tor. Every time I hit a page my request arrives at the server via a different route.

You can check this by installing Tor & going to a site like http://www.whatismyip.com/ - each time your IP will be different.

This has interesting effects when for example go to Google - instead of bringing up my normal google.co.uk start page, it bounces me to the country that it thinks I'm coming from.

Yesterday I got google.de a number of times, and once I even got the Bulgarian Google homepage - "What's this??? Google in Cyrillic!" :o)

DigitalKitty has a bit more on tor on her home node.

If someone is using tor then they have immediately rendered all your hard work and logic for blocking/penalising IPs irrelevant.

A white list *is* a possiblity, but even valid IPs can be hijacked or spoofed, so it's never 100% reliable as an identification method.

I would think a form of challenge-response type encrypted token passed between the server and the client and back to the server would be a more reliable way to go.