I am trying to get the IP ADDRESS from my users, but as I search the web for ways to do this, I see that it's not possible because an IP can be faked easily.
I wan't the IP because I am creating an extraordinary application where there is no need to make a user, but you can still vote on some objects. I don't want multiple votes from each "user".
And now, how do I get the real IP Address? Is it even possible?
Or is there another way to keep the votes relatively "unique"?
The IP address can be faked, yes, but you also run into the more general problem of proxies and NAT where the end user may not have a "real" public IP. There's nothing you can specifically do about that.
You're going to have to find some way to do this without using IP addresses if you want it to be unique.
$_SERVER['REMOTE_ADDR'] can be used. I'm not sure what you mean with "real IP address" though.
Not possible; your best bet is to stick with _SERVER['REMOTE_ADDR']. Although it can be spoofed it's often not, especially for users that aren't malicious. The only other possibility is to use a cookie to track users but those are also easily spoofed/cleared. You can probably see why people don't use IP addresses for authentication now.
IP spoffing (faking) will always be an issue. That's why you don't see much of these apps out there. I would recommend using evercookies. I think it's the closest you can get from uniquely identifying users without registration.
Related
I want to skip a login process and instead save users' server IP with PHP's "$_SERVER['REMOTE_ADDR']" function and keep them in a database for later identification when activities are performed on my site, now to the question...
Will I have to notify users that I am saving this information from them, just like if I would use cookies?
$_SERVER['REMOTE_ADDR'] is
the source IP of the TCP connection and can't be substituted by
changing an HTTP header.
And:
While it is technically possible to bidirectionally spoof IP addresses
on the Internet (by announcing foul routes via BGP), such attacks are
likely to be spotted and not available to the typical attacker -
basically, your attacker must have control over an ISP or carrier.
There are no feasible unidirectional spoofing attacks against TCP
(yet). Bidirectional IP spoofing is trivial on a LAN though.
Reference: Is it safe to trust $_SERVER['REMOTE_ADDR']?
Doing IP address filtering would be a method to reduce surface of attack by having a whitelist of IP addresses, but not doing authentication because it will only authenticate the network address and not the person.
E.g. if somebody else happens to use the same computer, he didn't need to enter any password to get the equivalent features. So you can't enforce accountability at the person level.
However if you used IP filtering in combination of something else, e.g. a PIN number on top of the IP filtering, that's already a bit better.
You don't have to notify. The cookies are notified because of a EU law.
Apache, by default, like most other similar programs keeps access logs, and many other tools you probably have in your server. These all save user-ip addresses, anyway. so you are already saving them. https://httpd.apache.org/docs/2.4/logs.html
the problem with this approach is, people on a mobile connection(an entire area using the same IP), on the same house, or using a different browser will share the same IP. Or people travelling on a mobile device will be constantly changing IP's, people with dynamic IP addresses(there are entire countries like this, this is super common)
Imagine you are using two gmail accounts and regardless of the browser, it just logs you in to the same account. Normally one would expect a site to be "fresh" when run in a different browser, for example.
Check out sessions, it is probably what you want.
Right now I have this implemented in my Dev environment:
I store the $SERVER['REMOTE_ADDR'] as a session variable upon login, then recheck the page every page load for the same IP address.
The more I read, I see that many people don't like this idea because of proxy's etc... So, what are some other options that can still be good practce? I was thinking about USER AGENT - but any joe-blow can fake that with a simple firefox plugin. That said, at least it would take a good guess from an attacker to successfully pick the right one on the first try...
What do people think? I'd love to simply just change out the text: 'SERVER_ADDR' with something else - all the other code can remain as is.
Thanks.
EDIT:
I guess my main goal here is to prevent hijacking/fixation. An IP check would in theory ensure that the user remains the user at all times (well, unless somebody's spoofing the IP also...) - but the session is basically saved to an IP address in this manor...
Well, from someone who has spent half my time trying to prevent session hijacks, I can tell you that is a wrong way to go about it.
Yes, in theory you will have guaranteed the user is the same, but then in practice you will get expected 'unexpected' results.
Certain ISP change the IP with every page load. Proxies like tor do that as well.
Your best bet is simply to use the user agent. Though that has drawbacks, you can't have a fully secure system. Just ensure that you prevent xss on your site and most likely, the user can't be faked too easily.
I had other implementations.
The first involved taking the first part of the IP and hashing it with the ua to ensure that the IP is always in the same range, but then I found out that the country ranges vary.
Another involved a country lookup to ensure that the IP is from the same country, but then again that involved an extra database lookup.
The best you can do is make it harder, but it will never be secure.
Almost forgot. Remember to regenerate the session I'd whenever you increase a user's priveleges such as in a login. This will help prevent session fixation attacks where the session id is passed via url.
Remember your xss.
You can always do a mask on IP: 134.23.%.%.
i have a web portal running which involves basic data entry. The issue being that this is highly sensitive data. And the credibility of the data entry personel is very low.
Therefore i have implemented recording of IP when an entry is made.
The Problem i am facing is if this if this person starts forwarding his IP from a proxy server then i am unable to track authenticity of the data.
How do i detect if the IP forwarding is happening/ get the real ip address of the person.
You can't. Not in any reliable fashion.
You will only ever know the IP address of the request sender with 100% certainty. Whether this sender is a proxy or not can't be reliably detected. If it's a proxy, there's no way to get the originating IP address (reliably).
Require user logins with strong passwords or otherwise enhance your authentication mechanism.
The point of some proxy servers is to not reveal the real IP of the user. However, some proxies supply a HTTP header such as "X-Forwarded-For" or "X-Real-IP". But those headers should neither be taken granted nor should they be trusted. A user might as well just put another faked IP in there.
Basically, using the IP address as a user identifier is not reliable.
Another way to identify a user is cookies. The most simple case: You store the user ID into a cookie and store it with the data. Now the user may use browser privacy modes that flush cookies soonishly.
A way around that might be storing the user ID in different places too. See, for example, evercookie. It tries really hard, to never ever loose the user ID. But then again, the user could just change computers and you might not be able to track that. You can't be 100% sure.
You can check the X-Forwarded-For header. However, if they are using an anonymous proxy, you won't be able to retrieve the ip. You might be better off implementing a stronger username/password policy, i.e., forcing password changes often.
My requirement is i have a portion of the site that should allow user to access from only one system. He may used different IP's and different by if the system is same he should be able to get the access. My site is in PHP. Doing some R&D i found so JS which helps to get the MAC address if the visitor is using IE. My case is i cannot restrict user to use IE. He may use any browser. Is there any way to get the MAC address. If not possible how should i restrict the same user from accessing content from different computers.
No. MAC addresses are not useful beyond the local network, so they're not available in the upper layers (eg. Application layer). Using Javascript to get the the address isn't exactly foolproof either, since it's incredibly easy for someone to manipulate.
If you want to restrict the hosts that a user can access your site on, you'll need to use a method of storage persistence within the browser to store a key - something that uniquely identifies them. Some forums use this method to catch people attempting to bypass their bans.
You should generate some kind of random key (or encrypt a string), store it on the server-side along with the user you want to identify, then give the user the key to be stored in a cookie/localStorage.
Though, there is the obvious problem of a user clearing their cookies...
Hopefully that gives you a bit of head-start.
Daniel is correct, it's not practical to attempt to use MAC addresses.
For your purpose, you'll probably want to use a few layers. Cookies are a good place to start. As stated though, they can be cleared. The user also may have cookies turned off. Cookies are also stored in plain text on their computer, and they're really easy for the user to modify.
You could also implement sessions with PHP. Each session is unique for each system, and browser. If the user switches browsers or restarts their current browser, the session is re-created.
You could also check their user-agent string. It will be different for each browser, and "most likely" each system, but it can easily be spoofed.
You could also use a public/private key exchange, but that can be a pain to implement and manage.
There really is no one fool proof solution. The best bet is probably to use a combination of techniques to get it as "close to foolproof" as you can. Just try not to make it too inconvenient for the user.
I stored the users IP address when they are registered.After that if they access the site from another Ip address I need to ask some security questions based on the registration.So is it possible to track the IP address.Otherwise the IP will change frequently?.
p.s No need to bother about Proxies and IP spoofing.
$_SERVER['REMOTE_ADDR'] returns the IP address. You know that, since you stored it in the database. When they login, you simply try to match their IP with what you have in the database and popup the questions. I don't see where the problem is. Also, if you didn't, consider using INET_NTOA and INET_ATON ( http://dev.mysql.com/doc/refman/5.0/en/miscellaneous-functions.html ) functions of MySQL.
Good luck annoying users!
Unless you can guarantee that each user will have a consistent IP address (which you can't), why bother with this sort of "authentication"?
Short answer is no. There's no way to track the IP address because a user could log on using a different computer, and the IP would be totally unrelated.
In practice many different users from the public internet often use the same IP address via NAT or other IP sharing. DHCP is much more common than it was in days of yore, which means these IP addresses will be released and re-issued daily or at some other frequency. Mobile devices will change IP addresses frequently. So the stability and validity of an IP address varies by networking technology (cellular, cable, DSL, dial-up, etc).
This may be fine, based on your security policies. You should also look at nonces, forced logins, and other security mechanisms based on what your trying to accomplish. You may want to change the session id every N requests or hash the User Agent string with the IP address.