Is there any alternative to the $_SERVER['REMOTE_ADDR']. Which returns the ip address of the computer accessing a site.
I'm trying to search about same external ip assigned by router, and got into this:
How do two computers connect to same external address through NAT?
And found out that the same external ip is assigned if the computers are connected to the same modem.
I'm creating a simple login program in php which uses $_SERVER['REMOTE_ADDR'] to determine if a user is already logged in somewhere else in the same network. And this won't actually work if those computers are connected to the same modem through the router.
No, this is the best you can do. The server only knows where the request is coming from, and that may be a proxy or a NAT router or some other entity which is not the direct enduser. There's nothing you can do about that, that's how networks work.
The solution is simple: Don't use IPs to identify users. Ever. Use cookies.
Using a more traditional cookie based login solves this. The browser identifies the user by providing a unique token. Ip, as you have discovered, is not unique.
Related
I need to get my users IP address'.
I found this article How to get Client Ip Address in Laravel 5.1?
The above mentioned article uses the Request::ip();
However, this method returns my servers IP address. From what I can understand from other sources, this happens when the site is localhost - but the site is hosted and is live on a server.
This site is live and online, but it might refer to localhost, as the site might be sitting on its own server (I dont have any experience in server config to know if this is true or not, just a guess).
When I connect to the DB Host, I do so using localhost referencing as well, and not something like mysql.phpmyadmin.hosting.com as DB Host. Therefore, my guess is, that the Request::ip(); returns the server ip, because the site somehow is sitting localhost.
However, if I use $_SERVER['HTTP_X_FORWARDED_FOR']; I get the correct IP address.
Now to my final question: Is this safe to use? Is there another way to use a Laravel function to make this request?
From what I can understand, the $_SERVER['HTTP_X_FORWARDED_FOR']; can have security holes, according to How to get the client IP address in PHP?.
Can I use $_SERVER['HTTP_X_FORWARDED_FOR']; safely without worrying? If not, what other way could I go, to get the users IP address safely?
The risk with X-Forwarded-For is that a user could create the header themselves, and thus pass along any IP they wish.
The solution is to only trust the header when REMOTE_ADDR is that of your trusted proxy. There's a Laravel package that lets you enforce this restriction.
Note: This is a logic/security question, not really a 'how to' for PHP.
First the background...
I want to restrict access to a company INTRAnet website to only people who are using a company computer (Windows or Linux) and who are connected to our company network 'in office' or remote via VPN.
At the moment users log in with their company userid and password, which are authenticated via LDAP, for every session. I want to make life a little easier for them and allow them to use a 'remember me' option at login and then store some information in a cookie.
The information I thought of putting in the cookie is their username and either the client IP address or client MAC address and setting an expiry of 30 days for example. On a subsequent login then existence of this cookie indicates a valid user and valid client are being used, so no need to login again (pass-through).
Now the question(s)...
Is it the case, that a system call from PHP will only return an IP or MAC address if the client is authorized on and connected to our corporate network? If this is true then by reverse logic, getting a null return value from one or both of these addresses means the client computer is not authorized to connect to our corporate network - is that correct? Is there a better way (more secure way without having users forced to log in each session) of solving this?
Thanks in advance.
A MAC is only available on the same subnet; if your intranet is a little more expansive it will probably have routing internally, especially if VPNs are involved as well. So there's no reliable way to get the MAC address of the client, no.
The IP is bound to change very likely as clients go online and offline, so an IP is useless as well.
Really, if your concern is that the application should only be accessed via the intranet, the best way to ensure that is to configure the intranet/server to only be physically accessibly via the intranet. If the network won't route external requests to the server, then there's no way anyone from outside could access the server/application. Worrying about this in application code is the wrong place.
You can easily get mac address of the client by using php exec("getmac /fo csv"); on windows and then use this string to authenticate the user.
Thanks
I have website and have one page for receiving some news (newly registered users, activity, etc.) and is restricted for everyone except for my IP (Page for only me to view).
I'm interested if there is a way that someone else can "fake" my IP and view this file?
P.S. I am aware of other ways of doing this.
Usually, you dont get fixed IPs, most provider give dynamic IPs. So if you restart your Router, your IP will change and make it impossible to access the page again. If you get a fixed IP, it should work. He can ofc. modify the IP, but then he wont get the response back.
Converting my comments to an answer.
It depends on how you are trying to get the client's IP address. If you are:
only using $_SERVER['REMOTE_ADDR'] to get the ip address
don't have a shared ip address
don't use a (shared) proxy
You should be just fine, because a possible attacker can technically spoof the ip address, but that would not work because, (as Andrey) rightfully pointed out to me the tcp handshake would simply fail.
Some caveats:
Your IP may change at some point effectively locking yourself out.
When you are behind a proxy / internal -> external router / vpn / otherwise shared ip other people in the same network might also have access
Never ever ever use $_SERVER['HTTP_X_FORWARDED_FOR '] because this can be spoofed easily.
I have a small web function that should run only when the user is in the office . But the problem is that our internet provider changes its IP regularly and i cant keep track of it. We have windows 7 systems in our office and they dont have any static IP. I cant even set a static IP as it will hamper the internet provider settings and will stop connecting to internet. Im stuck now. Is there a way with which i can make sure that a person is in office only when he is using that function?
The surest way is to ID using MAC adresse since IP can be changed, MAC address is harder to spoof and does not change. It is the "serial number" of the network card. So unless they take the card home, they won't be able to access it. Have a read at
this post
You could use dyndns to get the current ip.
Dynamic dns allows ypou to redirrect a host name to a dynamic ip.
So if you get a request from a unkown ip or more then x seconds have passed since the last request you can use gethostbyname to retrive the offic ip.
Free Dynamic DNS:
http://www.dnsdynamic.org/
Getting the IP:
$ip = gethostbyname('http://sample.dnsdynamic.org/');
One way to do it would be to set up the server so it exposes 2 services - 'A' with the "special office-only function" available, and 'B' without.
Then, set up the network security so that Service A is only accessible over a VPN tunnel from your office.
--
An alternative approach might be to use PKI - get the office computers installed with certificates that are required to access the Service A functionality. However, while complicated, it is still possible for users with sufficient authority and knowledge to copy the certificate and install it at home.
If your users aren't nerds, you can set a special cookie in the office computers, and check against that every time the user accesses the application.
(If your users know to to set and unset cookies, that would fail, as they would simply copy this behavior to their home).
Also, there should still be a specific range of IPs when connecting from the office (even if the IP changes), sample a few IPs and check for a recurring pattern.
Provide your office user with some kind of token, after they authorize. Then use the token to determine if access is granted or not.
The token can be stored in a cookie on the the office users computer, so authorization is done only once.
If you have an access to office network - you may try to config your server, which gives an access to the internet, so it will add some token (cookie?) to all requests (sent to your server). And you will check it in your code.
How to change ip address such that it does not reveal our original address when using $_SERVER['REMOTE_ADDR']; in php
You need to use a proxy server if you're trying to access a website from a different IP than your own. Wikipedia has more information.
There are several options I have in mind for this. I will go from the simpler to the more complicated one.
First, you could use a proxy server and ask him through an HTTP request made by your program or your browser, to fetch a resource for you. The proxy server will take the role of querying a resource in your place to the target service.
Example :
You want to retrieve the main page of the domain stackoverflow.com. You ask the proxy server to ask stackoverflow's HTTP server to send him the main page and he will forward it back to you.
To SO webserver, the superglobal $_SERVER['REMOTE_ADDR'] variable will correspond to the proxy server's IP address and not yours. However, the HTTP protocol implements some fields such as HTTP_VIA, HTTP_X_FORWARDED_FOR, or HTTP_FORWARDED which can be used to know if the current HTTP request is made by a proxy or not.
A transparent proxy will not specify those fields and will not modify your request whereas a non-transparent proxy may reveal the original IP address of the original requester. You got to use a reliable proxy which will act as you intends it to act. Another thing to consider is the use of an SSL tunnel between you and the proxy to avoid eavesdropping.
The second solution is to use a VPN (Virtual private network) server. It would be too complicated to fully explains how this works, but remember this, when you are connected to a computer using a VPN service (like l2tpd, pptpd ...) it's like you were on the same LAN with this computer. So you can transparently make requests to a webserver and he will never find out what's your real IP address.
A third solution could be to use linked nodes based network such as TOR. It's a free network you can connect to, and you will be completely anonymous to regular people. The TOR network power is to provide a network of many nodes and each nodes doesn't know anything about other nodes, so even people connected to the TOR network cannot know anything about you. I suggest you to read more about this if you're interested.
There are more complicated other solutions such as TCP session hijacking which is generally used to fake IP addresses and literally steal another computer's TCP connection, but this is out of the scope of this answer.