Hi all,
I'm currently digging into socket programming and found this function call socket_getpeername()
http://au2.php.net/manual/en/function.s ... ername.php
It retrieves the host ip address and port. I'm not sure if this is the server port and ip or the client's.
Is there a function that we can use to get the client 'real' ip address not the last one from the relay?
If a client is behind a firewall or proxy server, are we going to get the proxy ip address or the client's machine ip address where the request is made?
Thanks for the answer....
socket_getpeername()
Moderator: General Moderators
Re: socket_getpeername()
RTFM.kwong wrote:Hi all,
I'm currently digging into socket programming and found this function call socket_getpeername()
http://au2.php.net/manual/en/function.s ... ername.php
It retrieves the host ip address and port. I'm not sure if this is the server port and ip or the client's.
Is there a function that we can use to get the client 'real' ip address not the last one from the relay?
If a client is behind a firewall or proxy server, are we going to get the proxy ip address or the client's machine ip address where the request is made?
Thanks for the answer....
You'll get the proxy ip. Some proxies will tell you the "real" IP of the user in some header - Via, x-forwarded-for, or another. Some will not be distinguishable from an end client. Some client will lie to you that he is a proxy. You can't know for sure.socket_getpeername -- Queries the remote side of the given socket
socket_getsockname -- Queries the local side of the given socket
Re: socket_getpeername()
Modred, thanks for your answer.
In fact, it has triggered another question which sounds like this:
"If we can't know for sure our visitor IP address, how would it be possible to distinguish one visitor and another?"
"How do we know that it is Visitor A who connects again regardless their username and password, as these login details can be used by different person."?
Thanks for the answer....
In fact, it has triggered another question which sounds like this:
"If we can't know for sure our visitor IP address, how would it be possible to distinguish one visitor and another?"
"How do we know that it is Visitor A who connects again regardless their username and password, as these login details can be used by different person."?
Thanks for the answer....
Re: socket_getpeername()
Well, you can't be 100% sure. You can only hope that it's true 
Can you stop me giving my account to my wife, who will connect from our home ISP, with the same password and the same IP, from the same browser with the same settings? Can you recognize the case? (Hint: the answer isn't "yes"
)
The real question is: Should you?
Answer: no.
You work with user accounts. Accounts are recognized in the login process, and identified by a session id (SID), most commonly in a cookie. If you don't have vulnerabilities that allow attacks on the SID (XSS, session fixation, information leaks, predictable SID generation), you can be really sure that it's the same account.
Can you stop me giving my account to my wife, who will connect from our home ISP, with the same password and the same IP, from the same browser with the same settings? Can you recognize the case? (Hint: the answer isn't "yes"
The real question is: Should you?
Answer: no.
You work with user accounts. Accounts are recognized in the login process, and identified by a session id (SID), most commonly in a cookie. If you don't have vulnerabilities that allow attacks on the SID (XSS, session fixation, information leaks, predictable SID generation), you can be really sure that it's the same account.