Banning users

[zyrolasting]

I did some homework and found that $_SERVER['REMOTE_ADDR'] does not always return the 'real' ip of a user, and those HTTP request things (I forget...) can be faked. I have a publicly available comments section that anonymous users may access, but I naturally want to be able to effectively ward off troublemakers. What's the most accurate way to collect the ip of arbitrary users? Since I haven't heard anything bad about the method yet, I plan to use .htaccess. I do not need any third party libraries or tools, do I?

[premiso]

The best way to ward of unwanted is have a "White List" or "Safe List", basically only members IP addresses that are on that list can access the site. Now here comes the kicker, if they do not have a static IP address, or want to access from a different location IE: Work, they will be denied access.

 

It is pretty much a waste of time to try banning people by IP address, as anyone can get a Free Proxy and access your site through that and viola they are not banned. Or if their IP address is dynamic then yea. So try as you might, the best way is there is no best way. Add some annoyances such as Captcha and possibly a throttle on how long before they can post a new item. But yea, if IP's were unique and static for every computer, ya this would work. But they are not.

 

But .htaccess is a decent way to do it if you do not want to write php code to block.

[zyrolasting]

Correct me if I'm misunderstanding something here, but isn't .htaccess in need of IPs? I know it can do ranges and the like, but how exactly is it better if I still need IPs to ban people? Also, the white list seems risky, doesn't it? Wouldn't I have to enumerate a massive number of IP ranges?

 

I do indeed have a captcha on the site. I hate the look of it, but I do think it's better I have it.

[premiso]

but how exactly is it better if I still need IPs to ban people?

 

Its not, it is just a decent way to do it. You will still have to have some PHP code to write new IPs to the file if you want it dynamic. Doing the .htaccess denies them from the whole folder it is in. But as long as your PHP files as a "config" include or a "global" include file that is included on each page, this will not be a hard change to code in a banning feature by IP.

 

But before you implement that, think of this. If you have a lot of university people visiting your site, generally banning one person's IP bans the whole university. Let me know if you have further questions or need clarification.

[zyrolasting]

Anything you can suggest that doesn't take IPs into consideration at all?

[FaT3oYCG]

if you search the net then there are functions to gather the real IP adresses of users even behind proxys and the like which sometimes will work, there is no real way to make sure you can block every user that causes problems so that is probably the best way while keeping functionality on your site. note that users can modify the ip address that is returned even using these methods though so you will still not be 100% save, as premiso said the only way to be 100% safe would eb to whitelist ip's but this would be an inconvinence to users and i am pretty sure that it would loose you visitors.

[zyrolasting]

I guess I just have to be creative. I'm not too suprised there is no 100% reliable way. This is the internet, after all. I have to ask, though. The bottom right of my post shows my IP behind my router. What does PHPFreaks do in this regard? Does it bypass proxies?

[premiso]

Anything you can suggest that doesn't take IPs into consideration at all?

 

Nope, if it is anonymous users then yea, you cannot do much. The best you can do is Add in Captcha's ONLY for anonymous users and do a throttle by IP that if that IP has posted within 45-60 seconds they cannot re-post again. Doing that may annoy them enough to not come back if they are doing it just to bash etc.

 

The only downfall is, it will probably annoy regular anonymous users as well, but it should not stop them from coming to the site, just from replying.

 

EDIT:

As for the IP that is logged, PHPFreaks keeps a log of IPs and they can "ban" by IP, but it is still under the same items that we described before. It is rarely used to ban someone they simply just ban the user from the site, as you have to be registered to make posts etc. But IP's are also good for statistics and to see if someone is possibly using 2 accounts, which is against ToS.

[zyrolasting]

I think I got the info I needed. I like the idea of imposing a time limit between replies, but I'd keep it to a max of 30 seconds. Thanks for the quick and informative replies, guys!