tags:

views:

139

answers:

2
+2  Q: 

What are the possible return values for $_SERVER['REMOTE_ADDR'];?

In writing a login module, I want to log IP's as an additional measure for verifying who's on the other side is still the same person on the other side.

I'm using $_SERVER['REMOTE_ADDR'] as one (of many) ways to get the remote machine's IP address. Aside from an IPv4 or IPv6 address, are there any other values i should expect this to return?

+2  A: 

According to the PHP online documentation only an IP address should be returned.

http://us.php.net/manual/en/reserved.variables.server.php

“'REMOTE_ADDR':

The IP address from which the user is viewing the current page.”

Tim  2009-10-06 17:57:12
the problem is that i've read and seen instances where $_SERVER['REMOTE_ADDR'] returns multiple addresses. a quick google search turns up this link: http://www.bigresource.com/PHP-Why-is-_SERVER-REMOTE_ADDR-returning-multiple-IP-Addresses--Mcv258QQ.html
pxl  2009-10-06 18:17:46
A: 

There's really no added security to checking IP addresses as these can be easily spoofed and anyone who's savvy enough to be intercepting POST transactions is probably doing this anyways.

Also, you may be potentially annoying legitimate users. Think of the instance where a person may be in a location where there are several free open wifi hotspots. When they get to your login page, they may be connected to one hotspot but by the time they sign in, their machine may have decided another router is a better option and therefore their IP will change. Believe it or not, this may deter some (albeit, very few) easily-frustrated users.

Honestly, I just wouldn't bother. Using SSL, if you can, is usually the best way to go to avoid security issues like the one you're describing. Good luck with your project.

KyleFarris  2009-10-06 18:49:49
hey kyle, thanks for your comments. i'm just trying to be thorough when it comes to user information and verifying the proper credentials. And considering things like wifi hotspots and other areas where the user can get annoyed by a false positive are what I want to be thinking about when designing the log-in scheme.
pxl  2009-10-06 19:07:37
Excellent. :-) Glad to be of assistance.
KyleFarris  2009-10-06 19:19:08

related questions

How can I use both PHP 4 and 5 with the same apache install?
Resolve a filename from another file
exporting mysql data to ODF with php
How do I iterate through DOM elements in PHP?
Caller function in PHP 5?
How to link to a gzipped javascript in an html document?
PHP 5.x syncronized file access (no database)
Custom Filters/Validators in Zend Framework
PHP5: Specifying a datatype in method parameters
Zend PHP5 Certification, does it matter?
PHP: self vs this
PHP __destruct() method
Stored Procedures, mySQL and PHP5
Dynamic class variables
Tidy Converting <Span Style="Font-Style:Bold"> to <Class="C1">.
PHP equivalent of Perl's 'use strict' (to require variables to be initialzied before use)
Where would you advertise for a UK based telecommuting PHP developer?
Is there any way to detect the target class in PHP 5 static methods?
How to create a DOM from a User's input in PHP5?
PHP - command line arguments in Windows
How do I access class variables of a parent object in PHP?
In PHP5, should I use Exceptions or trigger_error/set_error_handler ?
Best way to hide DB connection code in PHP5 for apps that only require one connection?
Get MIME type of a local file in PHP5 without a PECL extension?
Implications of Instantiating Objects with Dynamic Variables in PHP