PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.		  
Loading
It is currently Fri Sep 25, 2020 11:27 am

View unanswered posts | View active topics


Board index » Programming » PHP - Security

All times are UTC - 5 hours




Post new topic Reply to topic  Page 2 of 2
  [ 29 posts ]  Go to page Previous  1, 2
  Print view Previous topic | Next topic 
Author Message
timvw
 Post subject:
PostPosted: Mon Jun 27, 2005 6:58 pm 
Offline
DevNet Master

Joined: Tue Jan 20, 2004 12:11 am
Posts: 4897
Location: Leuven, Belgium


Top
 Profile  
 
Stryks
 Post subject:
PostPosted: Tue Jun 28, 2005 7:58 am 
Offline
Forum Regular
User avatar

Joined: Wed Jan 14, 2004 6:06 pm
Posts: 746
I'm a bit confused by that last reply timvw.

You say that HTTP_ACCEPT_CHARSET isnt good to use, but it's from your own fingerprint function?

Or maybe it's just late. 8O
Top
 Profile  
 
timvw
 Post subject:
PostPosted: Tue Jun 28, 2005 9:53 am 
Offline
DevNet Master

Joined: Tue Jan 20, 2004 12:11 am
Posts: 4897
Location: Leuven, Belgium
After i read that HTTP_ACCEPT_CHARSET can change, i don't think it's a good idea to use. I admit that the code i wrote needs an update.
Top
 Profile  
 
dbevfat
 Post subject:
PostPosted: Tue Jun 28, 2005 3:49 pm 
Offline
Forum Contributor
User avatar

Joined: Tue Jun 28, 2005 2:47 pm
Posts: 126
Location: Ljubljana, Slovenia
I use USER_AGENT and REMOTE_ADDR. If there is possibility that users will have different IP addresses during 1 session, I only use the first half of the address -> [104.54].234.99.
Maybe they change ip, but certainly not continent or state :D. So it's still partially locked to IP.
Top
 Profile  
 
timvw
 Post subject:
PostPosted: Tue Jun 28, 2005 4:10 pm 
Offline
DevNet Master

Joined: Tue Jan 20, 2004 12:11 am
Posts: 4897
Location: Leuven, Belgium


Top
 Profile  
 
dbevfat
 Post subject:
PostPosted: Tue Jun 28, 2005 6:05 pm 
Offline
Forum Contributor
User avatar

Joined: Tue Jun 28, 2005 2:47 pm
Posts: 126
Location: Ljubljana, Slovenia
In case of IP switching between single requests in a session, I don't believe that the IP's highest two octets are gonna change. But even if they do - if you take only the first IP number, you're still protected from me, for example.
Top
 Profile  
 
dbevfat
 Post subject:
PostPosted: Tue Jun 28, 2005 6:09 pm 
Offline
Forum Contributor
User avatar

Joined: Tue Jun 28, 2005 2:47 pm
Posts: 126
Location: Ljubljana, Slovenia
Forgot to mention; not sure, but I believe IE changes the ACCEPT headers. I've read it somewhere a while ago. Something about adjusting these headers to the document type in question or something, don't remember really. Be sure to check it out.
Top
 Profile  
 
Roja
 Post subject:
PostPosted: Tue Jun 28, 2005 6:57 pm 
Offline
Tutorials Group

Joined: Sun Jan 04, 2004 11:30 pm
Posts: 2692


Top
 Profile  
 
timvw
 Post subject:
PostPosted: Tue Jun 28, 2005 7:43 pm 
Offline
DevNet Master

Joined: Tue Jan 20, 2004 12:11 am
Posts: 4897
Location: Leuven, Belgium
Most browsers also allow to change the UserAgent string etc..

It's a matter of choosing those variables you expect that are not going to change while they are using your webapplication. If a user decides to change his UserAgent string in a session anyway, he will need to login again...
Top
 Profile  
 
dbevfat
 Post subject:
PostPosted: Tue Jun 28, 2005 7:44 pm 
Offline
Forum Contributor
User avatar

Joined: Tue Jun 28, 2005 2:47 pm
Posts: 126
Location: Ljubljana, Slovenia


Top
 Profile  
 
shiflett
 Post subject:
PostPosted: Tue Jun 28, 2005 10:49 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
Roja
 Post subject:
PostPosted: Tue Jun 28, 2005 11:24 pm 
Offline
Tutorials Group

Joined: Sun Jan 04, 2004 11:30 pm
Posts: 2692


Top
 Profile  
 
vspin
PostPosted: Tue Apr 29, 2008 6:42 pm 
Offline
Forum Commoner

Joined: Tue Apr 29, 2008 6:31 pm
Posts: 33
I have a question for this old thread. Many of the responses here say never rely on IPs, but what if you can detect Proxy IPs. Wouldn't adding a non Proxy IP to one's fingerprint add extra security?

I read this thread:



And, I found this code, which is supposed to detect proxy IPs, although, I have no clue how reliable it is:

if (
$_SERVER['HTTP_X_FORWARDED_FOR']
|| $_SERVER['HTTP_X_FORWARDED']
|| $_SERVER['HTTP_FORWARDED_FOR']
|| $_SERVER['HTTP_CLIENT_IP']
|| $_SERVER['HTTP_VIA']
|| in_array($_SERVER['REMOTE_PORT'], array(8080,80,6588,8000,3128,553,554))
|| @fsockopen($_SERVER['REMOTE_ADDR'], 80, $errno, $errstr, 30))
{
exit('Proxy detected');
}
Top
 Profile  
 
vspin
PostPosted: Tue Apr 29, 2008 7:01 pm 
Offline
Forum Commoner

Joined: Tue Apr 29, 2008 6:31 pm
Posts: 33
Hmm, I read this in regard to proxy headers:

"Highly anonymous proxies don’t add the abovementioned headers and can’t be detected with this technique."
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 2 of 2
  [ 29 posts ]  Go to page Previous  1, 2

Board index » Programming » PHP - Security

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 7 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group