Page 1 of 1

socket_getpeername()

Posted: Wed Mar 12, 2008 8:59 pm
by kwong
Hi all,

I'm currently digging into socket programming and found this function call socket_getpeername()
http://au2.php.net/manual/en/function.s ... ername.php

It retrieves the host ip address and port. I'm not sure if this is the server port and ip or the client's.
Is there a function that we can use to get the client 'real' ip address not the last one from the relay?
If a client is behind a firewall or proxy server, are we going to get the proxy ip address or the client's machine ip address where the request is made?


Thanks for the answer....

Re: socket_getpeername()

Posted: Thu Mar 13, 2008 3:02 am
by Mordred
kwong wrote:Hi all,

I'm currently digging into socket programming and found this function call socket_getpeername()
http://au2.php.net/manual/en/function.s ... ername.php

It retrieves the host ip address and port. I'm not sure if this is the server port and ip or the client's.
Is there a function that we can use to get the client 'real' ip address not the last one from the relay?
If a client is behind a firewall or proxy server, are we going to get the proxy ip address or the client's machine ip address where the request is made?


Thanks for the answer....
RTFM.
socket_getpeername -- Queries the remote side of the given socket
socket_getsockname -- Queries the local side of the given socket
You'll get the proxy ip. Some proxies will tell you the "real" IP of the user in some header - Via, x-forwarded-for, or another. Some will not be distinguishable from an end client. Some client will lie to you that he is a proxy. You can't know for sure.

Re: socket_getpeername()

Posted: Thu Mar 13, 2008 6:08 pm
by kwong
Modred, thanks for your answer.
In fact, it has triggered another question which sounds like this:
"If we can't know for sure our visitor IP address, how would it be possible to distinguish one visitor and another?"
"How do we know that it is Visitor A who connects again regardless their username and password, as these login details can be used by different person."?

Thanks for the answer....

Re: socket_getpeername()

Posted: Fri Mar 14, 2008 3:47 am
by Mordred
Well, you can't be 100% sure. You can only hope that it's true :)
Can you stop me giving my account to my wife, who will connect from our home ISP, with the same password and the same IP, from the same browser with the same settings? Can you recognize the case? (Hint: the answer isn't "yes" :lol: )

The real question is: Should you?

Answer: no.

You work with user accounts. Accounts are recognized in the login process, and identified by a session id (SID), most commonly in a cookie. If you don't have vulnerabilities that allow attacks on the SID (XSS, session fixation, information leaks, predictable SID generation), you can be really sure that it's the same account.