chronister Posted July 6, 2009 Share Posted July 6, 2009 Hello, I need some opinions from the experts here. I have a system that relies on $_SERVER['REMOTE_ADDR'] for "authentication". I know that there are X amount of IP addresses that will be connecting (they are static). If an IP hits this page and is not an acceptable IP address, then I deny access, if the IP is acceptable then they can proceed. My main question is in the title, how secure is this? How easily can it be forged or bypassed from perspective of the client? Thanks for the help, Nate Link to comment https://forums.phpfreaks.com/topic/164889-forging-_serverremote_addr/ Share on other sites More sharing options...
corbin Posted July 6, 2009 Share Posted July 6, 2009 It can technically be faked, but it's too difficult for most kiddie-hackers to do. Also, the way I understand, it would essentially be useless since the server would send a response to the fake IP address, not the real one. Link to comment https://forums.phpfreaks.com/topic/164889-forging-_serverremote_addr/#findComment-869525 Share on other sites More sharing options...
chronister Posted July 6, 2009 Author Share Posted July 6, 2009 Quote Also, the way I understand, it would essentially be useless since the server would send a response to the fake IP address, not the real one. Please elaborate. Do you mean using it would be useless or that trying to forge it would be useless? Basically this is a "dashboard" system that allows stores to input daily sales information so that it is compiled and available to corporate immediately. I am probably going to use a password of the week (multiple stores use it) or just a username / password challenge as an additional layer. Link to comment https://forums.phpfreaks.com/topic/164889-forging-_serverremote_addr/#findComment-869551 Share on other sites More sharing options...
BMurtagh Posted July 6, 2009 Share Posted July 6, 2009 Hi Nate, One method that I think would be more benefitial for you would be to use a .htaccess file and restrict access that way. This would rule out the possibility of someone forging the address from the web page if their IP wasn't in the allowed range. An .htaccess example would be: # IP entries in .htaccess file Deny from all Allow from 192.168 Allow from 64.233.187.99 # end of .htaccess The subsequent Allow from and Deny from arguments may be * A full IP adress, like 10.1.2.3 * A partial IP adress, like 10.1 (head part of IP) * network/netmask or CIDR (see apache documentation) Following example will restrict everybody from accessing the pages, except users with IP beginning with 192.168 (local network) and for some user from the Internet with ip adress "64.233.187.99". Since the IPs are going to be static, you shouldn't need to worry about the code since you'll only be accepting access from the trusted IPs/IP range you choose. Link to comment https://forums.phpfreaks.com/topic/164889-forging-_serverremote_addr/#findComment-869578 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.