I am creating a poll script for a facebook fan page:
http://www.facebook.com/apps/application.php?id=115400635147687&v=app_115400635147687
I am getting the IP using:
$_SERVER['REMOTE_ADDR']
But the problem is that each time I refresh the page, or make an ajax call, the IP is changed everytime. Someone told me that facebook has many IPs, proxies.
Basically I need to save the IP in database, so that once a user from certain IP has voted, he should not be able to do so again.
What is the solution or alternative to this??
Blocking by IP is not really a reliable way of doing things (need to consider about people sharing the same public IP). Since it is a Facebook application, can't you instead block by the logged on Facebook account instead?
I assume the IP at the top of the linked page is what you're dealing with. If we do a whois:
$ whois 69.63.181.250
OrgName: Facebook, Inc.
OrgID: THEFA-3
Address: 1601 S. California Ave
City: Palo Alto
StateProv: CA
PostalCode: 94304
Country: US
NetRange: 69.63.176.0 - 69.63.191.255
CIDR: 69.63.176.0/20
We find that those IPs belong to Facebook's servers, not to your users.
If I understand what's happening correctly, when someone requests a page from your application, Facebook's servers request it from you on their behalf. In that case, you simply won't be able to get your users' IPs.
Note that when developing a fan page in Facebook, the Facebook servers essentially act as a proxy. That is, the user's browser asks Facebook for the page, then Facebook's servers make a request to your website to get the content. The Facebook server then rewrites all links and Javascript so that it any callbacks go through the Facebook servers first.
In the end, that means that you'll never see the user's "actual" IP address on your server: you'll only ever see Facebook's IP addresses.
This is done for privacy reasons, as I understand it. That is, the user will have to explicitly allow your application to access their profile before you will be able to get any "identifiable" information about them.
I found the perfect solution finally. Basically when you do ajax post, you can get the user's id using:
$_POST['fb_sig_user']
Related
It would be useful if, when placing an order or submitting a form, we could reliably include the visitor's referrer with the request. This is not always simple because, for example, the user could have found us via Adwords, left the site and come back by typing in the address. In this case, we would want to know the Adwords campaign for this specific visitor. Google Events don't fit well with our workflow.
Other questions have tried to use Javascript and apparently that is not possible. I noticed that Google sets a _ga cookie which we can read - it gives us an ID that looks like this: GA1.2.123456789.1234567890. Can we use PHP to extract the referrer according to Google from that ID?
Not in realtime, no. It used to be possible with the previous version of GA which evaluated traffic sources clientside and stored the values in a cookie. However with Universal Analytics the processing is now done serverside and the information is not accessible in realtime (there is a realtime API but that'S for various reasons not feasible for getting data on individual users).
It is however possible to get the referrer data via javascript - you look at document.referer and (if the referrer domain is different from your own domain) store it into a cookie (since the question is tagged with PHP, you can do the same with $_SERVER['HTTP_REFERER']).
This will not exactly match Googles info (Google will show referrals from google properties, yahoo, bing etc. not as referrer but as organic search traffic) but should be close enough.
I want to implement a referral program for my SaaS product.
The partner will have a link on their website that will direct their user to my signup form:
domain.com/referral/201030
"201030" being the member id from the partner site.
I want to make sure the page request came from my partner site,
I know I could check $_SERVER['HTTP_REFERER'] but that is not secure.
Is there a way I can check the IP address of the site referring the user to my webpage with PHP?
When do you need high security?
For an API for example, you want to track the incoming traffic and make sure only authenticated clients can access the API. This needs higher security standards and exchange of public keys and secrets.
When not?
A referral program doesn't need this kind of security.
The more traffic you have, the better for you. You don't care where the lead is coming from. When I send my partner program link to someone via messenger, there is not even a HTTP_REFERER.
Is it even possible?
It is very difficult impossible to make sure where the user is coming from without serverside interaction, obfuscation and dynamic links.
Any chance?
The only way, using a static link, is $_SERVER['HTTP_REFERER']. You can downvote the answer now, but it doesn't change the fact that there is no way, with a simple, non-dynamic link like shown in the question.
Turn the referer into an IP
To turn the HTTP_REFERER into an IP:
$urlParts = parse_url($_SERVER['HTTP_REFERER']);
$ip = gethostbyname($urlParts['host']);
Keep in mind, this is not reliable nor secure in any way.
I am writing API for one service, and now I need to restrict some calls for some URL. Let's say that you are user and you choose that only stackoverflow.com can see your information, or that stackoverflow.com, facebook.com and google.com cannot see your information.
I have the system on the backend (white vs. black lists) but now I need to find a way to get the URL from the call.
Yes some people will be using curl and it will be easy, but a lot of people will simply use file_get_contents(), as well as this API has an image output so some people will use
<img src="http://domain.com/api/something.jpg" />
Any thoughts how to get the url, without having developers to actually encode the url into calling url?
Thanks
Check the IP address ($_SERVER['REMOTE_ADDR']) of the requesting client. You can whitelist IP addresses of the servers allowed to connect to your API. For the image output, you can use $_SERVER['HTTP_REFERER'] and ensure that it is from a domain you have whitelisted.
However, I am not recommending this implementation. You should make use of API keys. These are like passwords given to clients using your API. Only those with API keys can access your API. At the same time, when their servers change IP addresses, they will still be able to access your API.
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I can do this using IP checks but that would be stupid if if the user had dynamic ip adress, then another option is cookies but that would also be stupid for many reasons - one being that its client side.
So then, i think mac address will be the thing to use, but i have no idea how to grab the mac address using php or javascript.
I think if this is possible, then it will be via js because it is client side
So any suggestions?
Why is it 'stupid' to use client-side information for authentication, that's where you'll be getting the username and password from and you're likely trusting that already
There is no way to grab the user's MAC address unless you're on the same network and the network allows such a lookup using ARP
You'll likely have to use cookies for this, and just make sure not to clear them if a particular browser is 'trusted'. If you think users are likely to share cookies with each other along with their username and password you could encode some other browser specific fields (exact UA header?) into the cookie to add more data you can use to decide if the client is trusted
That's more a comment than an answer:
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I'm not the author of that feature from facebook, so I don't have the specification of that feature at hand. If you would be so kind and add the specification of the feature you ask a question about to your question, it's probably possible to answer your question profoundly.
I have come up with a solution
I can use this api http://ipinfodb.com/ip_location_api.php And grab the location of my users and if it changes ask them to verify device.
I am a web developer and I want to design a commercial website to sell a customer's product. Sell and buy activities are important and I need to maintain user activity information to keep the site secure.
I want to write a dynamic website. I want to control all user activity and then decide whether to save user activity information in a database. Some of site's visitors are registered users and some are anonymous. I want to save online information such as ip address, username, page name, and date/time for my registered users.
I want to know:
How do I save a user's IP address?
What more do I need to save?
Saving each HTTP request details into database will work for low traffic web sites, but you will have performance issues in case of popular website, since writing to database in relatively slow operation.
Why not to use server HTTP logs instead?
All HTTP web servers create plain text log files which record remote user IP address, URL requested, etc. You can create activity report by writing your own script or using log file report tools. AWStats ( http://awstats.sourceforge.net/ ) is one of the most popular open-source tools for this.
On client side you can use Google Analytics to track user activity. It also provides means to track custom events:
_gaq.push(['_trackEvent', 'login', 'user_login', "custom data"]);
More info at: http://code.google.com/apis/analytics/docs/tracking/asyncUsageGuide.html
This option only tracks users with JavaScript enabled, so it won't show bots, crawlers or users having analytics blocking addons installed.
I'm not sure I understand all of your question...but to address at least one aspect of it, if the user is behind a proxy, then you have no way of determining what their real IP is. That's the whole point. The proxy is the one making the request and then forwarding it. Without asking the proxy yourself, you cannot determine that. With regards to what else you need to save, it depends entirely on what you want to do and you haven't done a good job of explaining why you are saving this data. If you can clarify that, perhaps we can help you a bit more in determining what data you should be saving.
Edit To address your clarification, if you wanted to be crazy, you could log everything that a person does. Every link they click, every product they view, etc. I don't necessarily advocate that as I find it a bit creepy, but there are definitely sites that do it. At the bare minimum, I would suggest logging what products people look at and then what products they buy. I would also log that information on a per-session basis. Basically, what products do people look at and then end up buying on the same trip to your store. I wouldn't worry too much about the "real" IP address. Most people won't be behind a proxy and those that are, you can't do anything about anyway.
How do I save a user's IP address?
$_SERVER['REMOTE_ADDR']
What more do I need to save?
That's quite strange question. It's your application, not someone's else. How can we guess what information you need?
However, at least one issue I can point out: a page name is not sufficient to log "all user activity". Query string and POST data usually contains important details on that activity.