Page 1 of 1

reliability getting ip address through code

Posted: Sun Jun 25, 2006 11:25 am
by mparker1113
Hi,

I found this code for getting a client's ip address:

Code: Select all

if (getenv(HTTP_X_FORWARDED_FOR)) 
{
  $ip = getenv('HTTP_X_FORWARD_FOR'); 
  $host = gethostbyaddr($ip); 
} else { 
   $ip = getenv('REMOTE_ADDR'); 
   $host = gethostbyaddr($ip); }
So, I tried it out on my system, and both of my computers that are connected to my router returned the same address. So, I removed the router from the DSL modem, and linked directly through the modem -- still getting the same ip address, which is not the address that I get from ipconfig at the command prompt.

I want to know if I am getting an actual ip address from my location, or an address which merely locates my isp. Because, I want to be able to know when a person logs in more than once, but not when an ISP does.

Any input would be very revered.

Thank you,

Mike

Posted: Sun Jun 25, 2006 11:58 am
by Roja
You cannot reliably get the ip address of users. Whether it is NAT, or proxies, or other items, IP addresses do not have a reliable relationship to the users.

Check my sig. :)

Posted: Sun Jun 25, 2006 12:10 pm
by Chris Corbyn
I agree with Roja. It's not reliable information. I use code similar to what you posted in that it checks for the FORWARDED header but the only place I actually use IP address check is in statistics gathering for things like hit counters and other traffic analysis. I wouldn't rely on an IP address if it was critical to the design of an authentication system or such like... it I mean, the forwarded value can easily be spoofed, or not passed at all.

Re: reliability getting ip address through code

Posted: Sun Jun 25, 2006 12:39 pm
by timvw
mparker1113 wrote: Because, I want to be able to know when a person logs in more than once, but not when an ISP does.
How would you define a 'person'? And how is it modelled in your system?

Only when we know this, we can start giving you suggestions for the identification of these 'persons'...

(Eg: two people that share a computer, are they the same person in your model?)

Posted: Sun Jun 25, 2006 3:09 pm
by mparker1113
The purpose of my locating when someone has already logged in is for a customer whose has recipes posted on their site which are specific for their product. They want for users to be able to post ratings/reviews for recipes. I will store the reviews in a database, and if I stored the corresponding ip address, I could make reasonably sure that people were not trying to "hack the results." I am not going to force log ins, as that is not what this site is looking for, just want to put some kind of net in place to see if they are voting more than once for the same recipe. (Of course, they can vote as many times as they would like as long as they are reviewing different recipes)

I suppose I might have to go to cookies for this.

What says you ?

Posted: Sun Jun 25, 2006 4:48 pm
by Chris Corbyn
OK, look at it this way. An association may have 1000 computers hooked up to the internet but they only have 1 external IP address you can see. Two people log onto your site, they are both the same person if all you're going by is an IP.

In my house, we have three computers, all connected to a router. We are all the same person.

Using cookies/sessions could perhaps be used in some way yes, although again this could probably be worked around easily.

Without an actual set of fixed credentials to identify a "person" (i.e. username/password) this is not going to be reliable. I wonder what use cookies could be here? :)