I'd like to know how to obtain the location of a client. I know this is possible by simply tracing the IP, but this isn't very accurate. I noticed http://www.kickstarter.com/ was able to get my exact location. I tried it in 2 different browsers, cleared my cookies and all, and it was still able to get my location. It didn't ask me to allow the page to get my address. How is this done?
To the people that are suggesting me to use geo-ip, please read the actual question. If you trace my ip you get a COMPLETELY different location which is about 100km off of my actual location, whily Kickstarter knows my EXACT location.
You can GEOIP the user, here is the PHP Manual on GEOIP
Those websites base your location on your IP address, for instance using Geo IP. This is not always a reliable feature, most of the time they show me a wrong location.
There are other solutions as well, such as browser geolocation, but this is not supported by older browsers (see caniuse.com for browser support). Browsers who do support it, should ask for permission.
See this website for some examples of geolocation methods.
You don't have to allow a page to get your IP address. The server ALWAYS knows the IP address it needs to talk to. If you don't use a proxy, it will know the direct address your request comes from.
Related
I'm looking for something that I'm not sure it exist.
If not I'm happy to get directions to do it.
I rent a proxy from a proxy company, so I have an IP, username and password to use it.
I would like to put those informations in a php script, then be able to surf through the proxy using this php script.
This will give me the opportunity to give the link to other person without them to have to change the config in them browser.
Thanks in advance
Something like this may be what you are looking for
http://freshmeat.net/projects/phpproxy/
Do a search in Google for PHP Proxy, there are many for your needs.
I learn that HTTP_REFERER or any HTTP request header can be fake and not reliable.
REMOTE_ADDR is reliable though.
so, how can I ensure the incoming HTTP_REQUEST call is coming from a website that I white-list?
For example, I have a js code that will send from client site to server. (something like a sniper, cross platform). however, I only allow this happen from several websites. Not others. so, even other people copy the code and put onto their website, it won't work.
In the general case you simply can't do it. You are entirely at the mercy of the client. You can make it more difficult by checking the referrer, but not impossible.
The only way to do this reliably is to have all those several websites generate unique tokens for every users, similarly as how you protect yourself from CSRF attacks. The tokens would then be sent along with the request by your script, and your server would need to have a way to check the token for authenticity against the other websites. Needless to say this is very likely impossible unless you control all sites.
See also this question on HTTP_REFERER
Haven't used this in practice, so there might be practicality issues I wasn't counting on, but thought I'd contribute the idea anyway. If I interpret correctly, this is similar to (if not the same as) the idea #Seldaek posted.
Your Server generates a unique ID for each page-serve and embeds the ID in the page.
Server stores the ID and the Client's IP address.
The js on the client places the ID in its request to the Server and sends the request.
When the Server receives the js request from the Client, it only responds if the IP/ID pair matches one that is on-file (see #2).
After some specified time (and/or when the browser session ends), the ID/IP entries expire.
This could perhaps be faked if a person sharing the visitor's IP address (perhaps both are behind the same NAT box) hijacks another visitor's session in real-time, but it will at least prevent someone from making another web page which piggybacks on your server's service.
There could also be issues if, for some reason, your visitor's IP address changes between when the page was served and when the js request was sent.
Basically, your server is saying "I will not service your js request unless you possess the data from a page I recently served and you are coming from (to the best of my knowledge) the place to which I served that page."
All http headers can be faked.
If you are just accepting communication from the remote server (and not having a client browser be redirected to your server) then you can either set up a VPN between that remote server and yours or you can change your firewall config to only allow communication from a specific set of IP addresses. However, even the later can be faked by people willing to go that far.
If the client browser is the one either being redirected to your server or loading the file(s) from your server then there is absolutely nothing you can do.
As #Billy says this simply isn't possible, you're thinking about the internets' request response mechanism incorrectly.
For example, I have a js code that
will send from client site to server.
(something like a sniper, cross
platform).
I assume what you're saying is that you have some javascript code served up on some website on your 'whitelist' which redirects the user to your website. Its on your website that you want to check that the user came from the 'whitelisted' site?
Aside from setting a cookie (might not be possible - cross domains) you might find it tough. Have you taken a look at OpenID? If you can post more details a solution may be more obvious.
so, how can I ensure the incoming
HTTP_REQUEST call is coming from a
website that I white-list?
I think if you sign every request(from whitelist) which is valid for that request only(once). I assume using uniqid for this is safe(enough?).
Hello guys.
I think it isn't possible just using PHP, but just to be sure.
Is it possible for PHP to know if the
user is accessing the web from behind
a Router?
And if yes, how can i get some
information about that router, like:
Router Name, Brand, Serial Number, ...
Users connected in the same network.
Can PHP also find the Local IP
Address for the visitor in that
Network?
A few simple questions. To which i haven't found a solid answer, and i tough that some PHP genius could tell me. And teach me.
Thanks for your help.
EDIT: Motives for this privacy invasive question
I didn't thought that i had to say this... But i guess i do
I was writing a couple functions that would get the browser preferred languages and finding out from which Country the user comes based on the IP, to deliver my website content in the right language to the visitor.
Then i started to think, most people browse from behind the router, can i find out if they are indeed?
Then it just came to my mind to do one of those simple programs that display network details, people connected on your network. My idea was to do that, but Web App Based not Desktop App Based as all other programs of this kind.
I appreciate privacy above everything as most developers do, so i kind of understand the Down Votes, i would probably Down Vote myself.
I'm sorry if you misjudge me due to my weird question, i have nothing to do so.. These things just popped up on my head.
First, are you talking about finding out information about users visiting your website? Keep in mind that this implies an intrusion into their privacy (you can try it with yourself though ;))
Is it possible for PHP to know if the user is accessing the web from behind a Router?
No you cannot. Only when you know that e.g. you have a lot visitors from one company and they all have the same IP address, they might be behind a router but it could also be a proxy.
And if yes, how can i get some information about that router, like:
Router Name, Brand, Serial Number, ...
If you have the IP you might be able to discover various things about a host with tools such as nmap. You might be able to find out the brand of a router and host system but definitely not serial number and such stuff. nmap is not PHP though.
Note: The use of such tools without permission to do so is illegal in some countries. In any way, the use of such tools without permission is morally questionable .
Users connected in the same network.
As I mentioned in the first question, if you have different users with the same IP address they might be in the same network. They could also be in different sub-networks. Anyway you cannot get their local IP addresses.
Can PHP also find the Local IP Address for the visitor in that Network?
See previous answer.
You see, everything is very vague and mostly based on assumptions. You cannot get reliable information and I am very glad that we are not totally transparent yet.
Once we all use IPv6, the whole story is a different one.
I have no idea what you're trying to do, but it worries me a little.
So I'm glad that (as you suspected) it's not possible.
All the details you're asking about is information that there's no reason for anyone outside the local network to need, it would be a huge security problem if a router was broadcasting this to the world.
It is not possible, by the design of the network protocols.
However, some routers uses special builds of PHP in its admin control panels.
how to identify remote machine uniquely in proxy server environment, i have used $_SERVER['REMOTE_ADDR'] but all machines in proxy network has same IP Address, is there any way
Don't ever depend on information that is coming from the client. In this case, you're running up against simple networking problems (you can never be sure the client's IP address is correct), in other cases the client may spoof information on purpose.
If you need to uniquely identify your clients, hand them a cookie upon their first visit, that's the best you can do.
Your best bet would be :
$uid = md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']);
however, there's no way to know if they changed their user agent or different browser.
You could use some other headers to help, like these ones (ones that come to mind when looking at a dump of $_SERVER) :
HTTP_USER_AGENT
HTTP_ACCEPT
HTTP_ACCEPT_LANGUAGE
HTTP_ACCEPT_ENCODING
HTTP_ACCEPT_CHARSET
Using several informations coming from the client will help differenciate different clients (the more information you use, the more chances you have that at least one of those is different between two clients)...
... But it will not be a perfect solution :-(
Depending on the kind of proxy software and it's configuration, there might be a header called X-Forwarded-For, that you could use :
The X-Forwarded-For (XFF) HTTP header
is a de facto standard for identifying
the originating IP address of a client
connecting to a web server through an
HTTP proxy or load balancer. This is a
non-RFC-standard request header which
was introduced by the Squid caching
proxy server's developers.
But I wouldn't rely on that either : it will probably not always be present (don't think its' required)
Good luck !
I do not think there are other ways to do what you want. This is because the proxy server proxies the clients' requests and acts on their behalf. So, the clients are virtually hidden from the server's point of view. However, I may be wrong.
If you are aware of the proxy server, I think that implies this is some kind of company LAN. Are you in control of the LAN? Perhaps building and installing some ActiveX plugin which sends a machine-unique ID to the server might be the solution.
In general, HTTP proxy servers are not required to send the IP of their client. So every request sent by a proxy looks like it came from the proxy's IP. (Although the wikipedia has some mention of custom headers some proxies send to forward the client's ip.)
It gets even worse when an HTTP proxy is itself using another HTTP proxy - the server getting the request will only get the IP of the last proxy in the chain, and there's no guarantee that the 2nd proxy is even aware that the 1st proxy wasn't a regular client!
There is currently no way of doing this as you don't get information about the MAC address, and even that can be wrong, as if there are 2 network cards like a wired one or wireless one.
The best thing to do is locally to get JavaScript to write and read to local storage and send that saved setting back to your server with an Ajax command. This still isn't perfect as if they clear their cache, the setting is lost.
JKS,
Remote machines do not have unique identifiers. This is impossible.
Usually developers like to track machines when the end-user visits a page with a form like a login for security reasons.
Here is what I do: I store a cookie, a session variable and use the new html5 localStorage to track folks on my sensitive pages. This is really the only way to do this accurately. The nice thing about localStorage (when browsers can do this), the end-user typically has no idea you are storing stuff on their machine and deleting cookies has no effect.
So you might make a database table with tracking details like:
timestamp, ip_address, user_agent
then let's say you are tracking failed login attempts.. I would do this:
if(isset($_SESSION['failed_logins'])) {
$failed_logins = $_SESSION['failed_logins'];
$_SESSION['failed_logins'] = ($failed_logins + 1);
} else {
$_SESSION['failed_logins'] = 1;
}
I would then do the same for with setcookie() and then the localStorage script..
Now I am tracking this person and know how many times they are failing a login..
I would then write this user's data to my failed_login table as described above.
I'm sure this isn't the answer you were looking for, but it really is the best way to track users on your site.
i have cgiproxy (http://www.jmarshall.com/tools/cgiproxy/), which lets users use it to navigate pages.
it seems like myspace.com detects it and forwards the user to google.com
doing a quick test to determine my ip using the proxy fails, meaning it doesn't reveal my ip. it shows proxy server's ip.
<?php
if (getenv("HTTP_X_FORWARDED_FOR")) {
$ip = getenv("HTTP_X_FORWARDED_FOR");
} else {
$ip = getenv("REMOTE_ADDR");
}
print"$ip";
So the mystery is, how are sites out there detecting that i am using CGI proxy ? is it possible for cgi proxy to stay undetected?
btw CGI proxy is best because it renders JS.
Perhaps in your PHP test program, you could dump out all the HTTP headers to see what's coming through and whether there is anything that looks like identifying information. It's hard for us to guess what Myspace is doing.
Totally a guess, but you may not be getting the MySpace cookies through CGIProxy.
CGIProxy states it as a known limitation:
If you browse to many sites with
cookies, CGIProxy may drop some. If a
site keeps telling you to enable
cookies, delete your existing cookies
(via the "Manage cookies" link) and
try the site again.
One other option (assuming you have shell access to the machine running the proxy) is to use the SOCKS proxy included in SSH with the -D flag.
I believe what you would want to install is PHProxy:
http://sourceforge.net/projects/poxy/
Back in HS days this is what we used to get around the filters that the school put in place to block it. Worked fairly well as far as I remember it, I haven't tried it recently but it is worth a shot.
Some sites, like MySpace, don't want users connecting through a proxy, so they go to lengths to detect this. By default, CGIProxy, does add any header to make it detectable. An easy way to check your http headers is to visit http://www.ioerror.us/ip/headers .
The usual method to detect this sort of thing is for a bit of client side Javascript to inspect the URL of the page it's on, and send that to the server. Using nph-proxy.cgi I'm able to visit Myspace without any such redirections.
Other methods are for detection include embedding a Flash or Java object on the page, and having that object attempt to connect to a hard coded server.