I want to skip a login process and instead save users' server IP with PHP's "$_SERVER['REMOTE_ADDR']" function and keep them in a database for later identification when activities are performed on my site, now to the question...
Will I have to notify users that I am saving this information from them, just like if I would use cookies?
$_SERVER['REMOTE_ADDR'] is
the source IP of the TCP connection and can't be substituted by
changing an HTTP header.
And:
While it is technically possible to bidirectionally spoof IP addresses
on the Internet (by announcing foul routes via BGP), such attacks are
likely to be spotted and not available to the typical attacker -
basically, your attacker must have control over an ISP or carrier.
There are no feasible unidirectional spoofing attacks against TCP
(yet). Bidirectional IP spoofing is trivial on a LAN though.
Reference: Is it safe to trust $_SERVER['REMOTE_ADDR']?
Doing IP address filtering would be a method to reduce surface of attack by having a whitelist of IP addresses, but not doing authentication because it will only authenticate the network address and not the person.
E.g. if somebody else happens to use the same computer, he didn't need to enter any password to get the equivalent features. So you can't enforce accountability at the person level.
However if you used IP filtering in combination of something else, e.g. a PIN number on top of the IP filtering, that's already a bit better.
You don't have to notify. The cookies are notified because of a EU law.
Apache, by default, like most other similar programs keeps access logs, and many other tools you probably have in your server. These all save user-ip addresses, anyway. so you are already saving them. https://httpd.apache.org/docs/2.4/logs.html
the problem with this approach is, people on a mobile connection(an entire area using the same IP), on the same house, or using a different browser will share the same IP. Or people travelling on a mobile device will be constantly changing IP's, people with dynamic IP addresses(there are entire countries like this, this is super common)
Imagine you are using two gmail accounts and regardless of the browser, it just logs you in to the same account. Normally one would expect a site to be "fresh" when run in a different browser, for example.
Check out sessions, it is probably what you want.
Related
So I have a web application which is going to collect people's opinion (People have to choose option 1 or option 2). I don't want anyone to submit their opinion twice or more, which makes me think an opinion is more popular when it isn't, so I think of several ways, but they all have their disadvantage:
Check user's IP address: user can change their IP easily by using web proxy or something like that.
Check user's HWID like what I did on another desktop application: Seem like it's impossible with php
Can you suggest me a way which is the most effective for my web application's issue? The ideal solution is having only one vote per device, but I have no idea how to do it with PHP.
Edit: Please give me your advice on this: does cookie work with web proxy? If the application stored a cookie, then the user open the website with web proxy or simply use private browsing, is the cookie still there? If it is, a combination between IP address and cookie may works.
To prevent accidental multiple submissions, require a login and save the vote in a database, or create a random unique ID that is tied to the user's session, and save that one with the vote, rejecting votes whose IDs already exist, or save a flag in the session that the user already voted.
You could use ever-/super-cookies to make deliberately faking votes harder, but you cannot prevent them unless you have some means to verify an identity and ensure that no person can have multiple identities, e.g. ID cards issued by the government with functions for eCommerce and e(Whatever), social security numbers. However, you will have to interface with an institution performing the verification for you.
And ever-/super-cookies and browser fingerprinting are vulnerable to the use of multiple browsers and break when facing paranoid users.
If you want to prevent multiple deliberate votes with low security and reliability, you could establish an identity like on StackExchange / StackOverflow, i.e. reputation-based, and prevent votes until someone has gained some reputation level.
Or you could require phone-/account-/credit-card-/payments-based verification with low level of confidence (e.g. send SMS text message with verification code to phone number, Facebook, Google, Amazon, PayPal, Stripe...) - people can have multiple phones, accounts, credit/debit cards etc.
In the end, there is no easy-to-use system for identity verification that prevents multiple identities with high confidence (that I know of).
Is there any way to validate that a request to my API is coming from a specific domain without the risk of someone tampering with it?
For instance, if I get a request to:
http://www.mydomain.com/api?request=something&key=12345
I can check to be sure that the API key 12345 has been assigned to a user before returning the results. However, I would like to confine that API key 12345 to a specific domain so that only a person from theirdomain.com would be able to send API requests using the key 12345.
I'm not asking how to program that part, I know that. I'm just asking if there's any way to do so (or any other ideas you may have) aside from using $_SERVER['HTTP_REFERER'] (something more secure)?
There is nothing built into HTTP that allows you to detect the "context" of a request, apart from voluntary (and therefore trivially spoofable) information from the client, such as the Referer header.
If this is a server-to-server API (rather than something which will be requested directly by a user's browser), you could check the source IP address, using $_SERVER['REMOTE_ADDR']. This is much trickier to fake, particularly if you're whitelisting rather than blacklisting IPs. (It's easy to find another IP, to avoid a blacklist, but near-impossible to choose your IP, to avoid a whitelist).
This is often used in e-commerce and e-payment APIs, where the owner of an account provides a list of IP addresses on setup, or in a customer control panel, to make it harder for third parties to use a stolen username and password.
I am trying to get the IP ADDRESS from my users, but as I search the web for ways to do this, I see that it's not possible because an IP can be faked easily.
I wan't the IP because I am creating an extraordinary application where there is no need to make a user, but you can still vote on some objects. I don't want multiple votes from each "user".
And now, how do I get the real IP Address? Is it even possible?
Or is there another way to keep the votes relatively "unique"?
The IP address can be faked, yes, but you also run into the more general problem of proxies and NAT where the end user may not have a "real" public IP. There's nothing you can specifically do about that.
You're going to have to find some way to do this without using IP addresses if you want it to be unique.
$_SERVER['REMOTE_ADDR'] can be used. I'm not sure what you mean with "real IP address" though.
Not possible; your best bet is to stick with _SERVER['REMOTE_ADDR']. Although it can be spoofed it's often not, especially for users that aren't malicious. The only other possibility is to use a cookie to track users but those are also easily spoofed/cleared. You can probably see why people don't use IP addresses for authentication now.
IP spoffing (faking) will always be an issue. That's why you don't see much of these apps out there. I would recommend using evercookies. I think it's the closest you can get from uniquely identifying users without registration.
i have a web portal running which involves basic data entry. The issue being that this is highly sensitive data. And the credibility of the data entry personel is very low.
Therefore i have implemented recording of IP when an entry is made.
The Problem i am facing is if this if this person starts forwarding his IP from a proxy server then i am unable to track authenticity of the data.
How do i detect if the IP forwarding is happening/ get the real ip address of the person.
You can't. Not in any reliable fashion.
You will only ever know the IP address of the request sender with 100% certainty. Whether this sender is a proxy or not can't be reliably detected. If it's a proxy, there's no way to get the originating IP address (reliably).
Require user logins with strong passwords or otherwise enhance your authentication mechanism.
The point of some proxy servers is to not reveal the real IP of the user. However, some proxies supply a HTTP header such as "X-Forwarded-For" or "X-Real-IP". But those headers should neither be taken granted nor should they be trusted. A user might as well just put another faked IP in there.
Basically, using the IP address as a user identifier is not reliable.
Another way to identify a user is cookies. The most simple case: You store the user ID into a cookie and store it with the data. Now the user may use browser privacy modes that flush cookies soonishly.
A way around that might be storing the user ID in different places too. See, for example, evercookie. It tries really hard, to never ever loose the user ID. But then again, the user could just change computers and you might not be able to track that. You can't be 100% sure.
You can check the X-Forwarded-For header. However, if they are using an anonymous proxy, you won't be able to retrieve the ip. You might be better off implementing a stronger username/password policy, i.e., forcing password changes often.
I stored the users IP address when they are registered.After that if they access the site from another Ip address I need to ask some security questions based on the registration.So is it possible to track the IP address.Otherwise the IP will change frequently?.
p.s No need to bother about Proxies and IP spoofing.
$_SERVER['REMOTE_ADDR'] returns the IP address. You know that, since you stored it in the database. When they login, you simply try to match their IP with what you have in the database and popup the questions. I don't see where the problem is. Also, if you didn't, consider using INET_NTOA and INET_ATON ( http://dev.mysql.com/doc/refman/5.0/en/miscellaneous-functions.html ) functions of MySQL.
Good luck annoying users!
Unless you can guarantee that each user will have a consistent IP address (which you can't), why bother with this sort of "authentication"?
Short answer is no. There's no way to track the IP address because a user could log on using a different computer, and the IP would be totally unrelated.
In practice many different users from the public internet often use the same IP address via NAT or other IP sharing. DHCP is much more common than it was in days of yore, which means these IP addresses will be released and re-issued daily or at some other frequency. Mobile devices will change IP addresses frequently. So the stability and validity of an IP address varies by networking technology (cellular, cable, DSL, dial-up, etc).
This may be fine, based on your security policies. You should also look at nonces, forced logins, and other security mechanisms based on what your trying to accomplish. You may want to change the session id every N requests or hash the User Agent string with the IP address.