The ultimate count should be tied to the user account that is being logged into. In some of my applications I also attach counts to session and IP's but these cannot be relied upon for security. While IP's can be spoofed, it is difficult but it is not difficult or uncommon for someone to use multiple IP's, especially if that someone is a hacker. Another thing to consider with any IP association is that many corporate users as well as household users may share a single IP address, so if you block one, or asociate a count with one, you are associating a count or are blocking all. Lastly a hacker knows how cookies work so a session count would most likely be useless.
↧