Azure app service php session id duplicated - php

On Azure Linux App service, PHP 7.4, with ARR Affinity was enabled, sometimes different client will get same session id, how to fix it?
time
session id
ip
2023/02/17 09:21:00
c3afe305bd82d13d532d18a1e29c0ab0fbfe51365c7fbf6
1.163.94.12
2023/02/17 09:21:14
c3afe305bd82d13d532d18a1e29c0ab0fbfe51365c7fbf6
1.163.94.12
2023/02/17 09:21:19
c3afe305bd82d13d532d18a1e29c0ab0fbfe51365c7fbf6
1.163.94.12
2023/02/17 09:21:25
c3afe305bd82d13d532d18a1e29c0ab0fbfe51365c7fbf6
1.163.94.12
2023/02/17 09:28:10
c3afe305bd82d13d532d18a1e29c0ab0fbfe51365c7fbf6
106.64.41.90
2023/02/17 09:28:11
c3afe305bd82d13d532d18a1e29c0ab0fbfe51365c7fbf6
106.64.41.90
2023/02/17 09:28:13
c3afe305bd82d13d532d18a1e29c0ab0fbfe51365c7fbf6
1.163.94.12

Related

About the security issues of [HTTP_X_FORWARDED_FOR], should I use it at all instead of [REMOTE_ADDR]?

I'm trying to create a php counter, and in order not to count repeated visits from the same visitor, I've been thinking about saving the visitor's IP address into the database, and I should turn to $_SERVER
I've read this sample funtion by #Dusza that seems nice and convenient:
<?php
function get_IP() {
// ADDRESS IP
if (getenv('HTTP_CLIENT_IP')) $ipaddress = getenv('HTTP_CLIENT_IP');
else if(getenv('HTTP_X_FORWARDED_FOR')) $ipaddress = getenv('HTTP_X_FORWARDED_FOR');
else if(getenv('HTTP_X_FORWARDED')) $ipaddress = getenv('HTTP_X_FORWARDED');
else if(getenv('HTTP_FORWARDED_FOR')) $ipaddress = getenv('HTTP_FORWARDED_FOR');
else if(getenv('HTTP_FORWARDED')) $ipaddress = getenv('HTTP_FORWARDED');
else if(getenv('REMOTE_ADDR')) $ipaddress = getenv('REMOTE_ADDR');
else $ipaddress = 'UNKNOWN';
//return $ipaddress;
}
?>
But I've done some research here, and found that there's a security hole in that because the user can spoof all values except REMOTE_ADDR, which can be modified by a proxy.
So I guess that when they say that there's a security hole, it means that I should sanitize the user's input when I insert it into the database doing some bindings.
Is there any other precaution?
Given that all other values are unreliable I should avoid using them altogether?
But what about the un-spoffing value of REMOTE_ADDR? That can be modified by a proxy.
Any suggestions on what path should I take?
If you want to downvote, or vote the question to be closed or deleted, please leave
me a comment about why, so I can improve my questions. Thanks.
REMOTE_ADDR is the IP address established through a 3-way TCP/IP handshake. It is the IP the response will be sent back to. It is the only thing that your server has verified. Everything else is just arbitrary HTTP headers anyone could set.
Now, if you know that your server is running behind a proxy (e.g. a load balancer) which would mask the visitor's IP address (your server would only see the proxy's IP), but you know that the proxy is helpfully forwarding you the visitor's IP in an HTTP header (as workaround for this situation so your server can still see the visitor's IP), then and only then may you use one of these HTTP headers and only the one that you know your proxy is setting. If your server is not behind a proxy, use REMOTE_ADDR exclusively. Otherwise, consult your proxy's manual and implement according to the situation.

IOS HTTPCookie not recognized in PHP API

I'm authenticating my users and then sending each of them a unique cookie which I will store server side and client side. In order to provide some level of security to my API, I'm sending every request to my api with that cookie.. I set the cookie on IOS like this
let cookie = HTTPCookie(properties: [HTTPCookiePropertyKey.originURL : apiURL, HTTPCookiePropertyKey.name :
cookie_name, HTTPCookiePropertyKey.value : cookie_value, HTTPCookiePropertyKey.path : "/"])
HTTPCookieStorage.shared.setCookie(cookie)
I'm 100% sure that the way I'm setting my cookie up is perfect. I've done it in previous apps... just never with a PHP API on the other end. The only issue is that my PHP API doesn't recognize the cookie...
I'm checking like this:
if($_COOKIE['cookie_name'] != ''){ }
When I try to call the API from Postman (a google chrome extension that allows to pass cookies), it works fine and my php script recognizes the cookie. When I try to make calls from my mobile device, I get unauthorized access everytime because the PHP API fails to recognize that the cookie was passed...
The reason why I'm confident that I'm creating and passing my cookie correctly is because I do it in all of my Ruby on Rails app the same way...
Any advice?
Check like this
let cookie = HTTPCookie(properties: [HTTPCookiePropertyKey.originURL : apiURL, HTTPCookiePropertyKey.name :
cookie_name, HTTPCookiePropertyKey.value : cookie_value, HTTPCookiePropertyKey.path : "/"])
HTTPCookieStorage.shared.setCookie(cookie)
if($_COOKIE['cookie'] != ''){ }
the name of the cookie is not cookie name it's cookie as the line below
// (cookie) = cookie name
HTTPCookieStorage.shared.setCookie(cookie)
so this is how you should check
if($_COOKIE['cookie'] != ''){ }

IP addresses in PHP

I have a competition scripted in PHP, vote based. From one IP, one person can vote for someone one time. I have a log of all IP addresses that voted, but I see something strange. Some IP addresses appear to be like for="ip_address:port", while others are just ip_address, and I see that one ip address, formatted with for="..." appear to be there multiple times, just with different ports. Can someone please explain it to me? How users do this, should I ban them from competition for this?
I use this function to get user IP address:
function get_client_ip_env() {
if (getenv('HTTP_CLIENT_IP'))
$ipaddress = getenv('HTTP_CLIENT_IP');
else if(getenv('HTTP_X_FORWARDED_FOR'))
$ipaddress = getenv('HTTP_X_FORWARDED_FOR');
else if(getenv('HTTP_X_FORWARDED'))
$ipaddress = getenv('HTTP_X_FORWARDED');
else if(getenv('HTTP_FORWARDED_FOR'))
$ipaddress = getenv('HTTP_FORWARDED_FOR');
else if(getenv('HTTP_FORWARDED'))
$ipaddress = getenv('HTTP_FORWARDED');
else if(getenv('REMOTE_ADDR'))
$ipaddress = getenv('REMOTE_ADDR');
else
$ipaddress = 'UNKNOWN';
return $ipaddress;
}
Also, if anyone know some good reference and manual with all predefined variables in PHP, please share it with me.
IP addresses HTTP headers can easily be spoofed and a lot of users (mainly mobile users on for example a wifi connection) have lease times on IP addresses that are very short, thus enabling them to vote again.
That said you can combine options, for example check IP address and set a cookie to make it harder to get around.
If you set a port with the ip address then it will not match your database records/list of IP addresses. Should you ban them for that? I can't answer that.
Most of your checking method is based on what the request says is the IP address, like the HTTP headers, which are easily spoofed. Don't trust them or accept that your poll is not going to get accurate results.
If you really want a fair voting system that allows one vote per person you will need to use something else then IP address to identify the user.
try this, it may helpfull for you
<?php
//for example
$ip = "216.58.196.68:8989";
$ip = strstr("$ip",':',true); //get text before :
echo $ip;
//it echo only 216.58.196.68
?>

How to use $_SERVER["REMOTE_ADDR"] in PHP websocket server

I have am using websocket and trying to merge with my custom PHP app and Mysql database. In Database I store IP, ClientID and username when user connects to server. These infromation are to be used when user disconnect from websocket server or sends message. I run server.php with php server.php
The server page is https://github.com/Flynsarmy/PHPWebSocket-Chat/blob/master/server.php
As mentioned above I stored necessary information in Mysql database to identify which users sends message, disconnect and connect.
So for that I need to identify my own mechine IP for further identification with various clients. So when I try to use
<?php
echo $_SERVER["REMOTE_ADDR"];
in server.php. It gives an error saying undefined.
You don't.
WebSockets does not deal with web requests. The $_SERVER superglobal does not get populated because it does not make sense to populate it.
Deal with the socket connections directly.
You most likely want to play around with socket_getsockname().
Please try this,
var_dump($_SERVER);
and check if it prints... [REMOTE_ADDR] => .......
But if you are after clients IP,
as a PHP developer I use following code
$ip=NULL;
if (!empty($_SERVER['HTTP_CLIENT_IP']))
$ip = $_SERVER['HTTP_CLIENT_IP'];
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
else
$ip = $_SERVER['REMOTE_ADDR'];

How to get real IP of user using PHP? [duplicate]

This question already has answers here:
How to get the client IP address in PHP
(32 answers)
Closed 8 years ago.
I've been trying to get real IP address of the user, and not a proxy address. For that I've done this:
$ip1 = $_SERVER['REMOTE_ADDR'];
$ip2 = $_SERVER['HTTP_X_FORWARDED_FOR'];
$ip3 = $_SERVER['HTTP_FORWARDED'];
mail("me#domain.com", "Report", "IP1 is $ip1, IP2 is $ip2, IP3 is $ip3 .");
But when a user is using proxy, the above script gets the proxy address and not the real IP address:
IP is [proxy_addr_here], IP2 is , IP3 is .
Is there any way to get real IP just like whatismyip.com tells (it tells real IP address, proxy address and useragent)?
Update : Whatismyip tells me this
"Your IP Address Is: [my real IP]
Proxy: [my proxy address]
City: Alipur
State/Region: Delhi
Country: IN -
ISP: Bharti Airtel Ltd."
How come it gathers all the details so accurately but not my PHP script?
You could do
$ip= isset($_SERVER['HTTP_X_FORWARDED_FOR']) ?
$_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
But even that is not 100%. Getting IP of the real user now a days is not a guarantee with so many NAT firewalls in between, let alone proxies.
Edit
To answer your edit as to how they show you more information, you could use many features of the language to get more request details. For example try
print_r(getallheaders());
Then you can also use
print_r($_SERVER);
And extract the required information from there.
Edit 2
Even your favorite whatismyip.com reports
Your IP Location can be found using our IP Lookup tool. No IP Lookup tool is 100% accurate due to many different factors. Some of those factors include where the owner of the IP has it registered, where the agency that controls the IP is located, proxies, cellular IPs, etc. If you are in the US and the controlling agency of the IP is located in Canada, chances are the IP address lookup results will show as Canada. Showing a Canadian IP while in the US is very common among Blackberry users on the Verizon network.
Reference
You might still ask ok then why cant I get at least what they show? Im sure they have put up a lot of research and resources in setting up that tool, its not a one line PHP code, in fact there is no telling whether that site is written in PHP at all. Some more research and you will be on your way to try to match their lookup.
You can try this...
<?PHP
function getUserIP()
{
$ipaddress = '';
if (getenv('HTTP_CLIENT_IP'))
$ipaddress = getenv('HTTP_CLIENT_IP');
else if(getenv('HTTP_X_FORWARDED_FOR'))
$ipaddress = getenv('HTTP_X_FORWARDED_FOR');
else if(getenv('HTTP_X_FORWARDED'))
$ipaddress = getenv('HTTP_X_FORWARDED');
else if(getenv('HTTP_FORWARDED_FOR'))
$ipaddress = getenv('HTTP_FORWARDED_FOR');
else if(getenv('HTTP_FORWARDED'))
$ipaddress = getenv('HTTP_FORWARDED');
else if(getenv('REMOTE_ADDR'))
$ipaddress = getenv('REMOTE_ADDR');
else
$ipaddress = 'Unknown IP Address';
return $ipaddress;
}
$user_ip = getUserIP();
echo $user_ip; // Output IP address (Ex: 123.345.456.678)
?>

Categories