Annoying User

[PuReInSaNe]

I am running a PHP-based Browsergame. My actual banning system gets the ip using this function which I found to be very good.

 

function get_real_ip()
{
  $client_ip = (isset($_SERVER['HTTP_CLIENT_IP'])) ? $_SERVER['HTTP_CLIENT_IP'] : '';
  $x_forwarded_for = (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : '';
  $remote_addr = (isset($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : '';

  if (!empty($client_ip))
  {
    $ip_expl = explode('.',$client_ip);
    $referer = explode('.',$remote_addr);
    if($referer[0] != $ip_expl[0])
    {
      $ip=array_reverse($ip_expl);
      $return=implode('.',$ip);
    }
    else
    {
      $return = $client_ip;
    }
  }
  else if (!empty($x_forwarded_for))
  {
    if(strstr($x_forwarded_for,','))
    {
      $ip_expl = explode(',',$x_forwarded_for);
      $return = end($ip_expl);
    }
    else
    {
      $return = $x_forwarded_for;
    }
  }
  else
  {
    $return = $remote_addr;
  }
  unset ($client_ip, $x_forwarded_for, $remote_addr, $ip_expl);
  return $return;
}

 

Now the problem is, that I still can't get the correct ip, a user still keeps on loggin on. So how does he do that and how to prevent him to register again and again?

[shlumph]

I'm not sure about your function.  I usually just check $_SERVER['REMOTE_ADDR'].  Note that he could be using an anonymous proxy, which would allow him to keep changing his IP address.

 

Do you have a CAPTCHA in your registration process?  If you think he is registering via a script he wrote, I would suggest having one in place to prevent this.

[DaveyK]

He is already using that. The only thing you can do is ban all the IPs and email addresses. If he doesnt use a bot, and he just wants to troll and be annoying, he will just keep on registering untill you ban him.

 

At this point, I dont think theres much else you can do.

[PaulRyan]

He probably has a dynamic I.P. address, which is very common in this day and age. There isn't much you can really do about it, you need to tighten up registration form, look at form tokens, re-captcha, also Google some tips to make forms less likely to be automated by a bot/script.

[mac_gyver]

the function you are using can be fooled to give you an arbitrary ip address that doesn't have anything to do with where the requests are coming from.

 

the HTTP_ values are just data in the header of the request and can be set to any value in any request. the only "trust worthy" value in that code is the REMOTE_ADDR and you are giving the HTTP_ values priority over the REMOTE_ADDR value. the REMOTE_ADDR value comes from the data packets the web server received and is where the output from the web server will be sent back to.

 

if you have a site that is being abused, you need to record all the information that you can about the user. i would record the REMOTE_ADDR "physical" address and the "apparent" ip address that your function returns. this will give you more information to decide what to do about the abuse.

 

---

 

it sounds like you have a registration system, implying you have accounts with usernames. you should be preventing access to your site by disabling the account and preventing future registrations using the email address. if you have a need to ban users, your user system needs to query your user database on each request to check the banned status.  your registration system should only activate an account after you send the user an email with an activation link in it.