tags:

views:

285

answers:

1

Hi %,

today I came a across a pretty strange behaviour of an php based application of mine. In a certain part of the system there's an UI making use of AJAX-calls to fill list boxes with content from the backend.

Now, the AJAX listener performs a security check on all incoming requests, making sure that only valid client IPs get responses. The valid IP are stored in the backend too.

To get the client's IP I used plain old

$_SERVER['REMOTE_ADDR']

which works out for most of the clients. Today I ran into an installation where remote_addr contained the IP of an network adapter which was'nt that one which performed the actual communication for my application.

Googling around agve me Roshan's Blog entry on the topuic:

function getRealIpAddr()
{
    if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
    {
      $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))//check ip is pass from prxy
    {
      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else
    {
      $ip=$_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}

Sadly the problem persists.

Did anybody ever stumble into this sort of problem (actually I don't think that I discovered a completly new issue ^^) and has an idea for me how to fix this?

EDIT:

I'm on

  • PHP Version 5.2.9-1
  • Apache/2.2.9 (Win32)

The communication is done via a regular LAN card. Now the actuall client has several devices more. VMNet adapters and such.

I'm wondering how a client configuration can 'disturb' a web server that much...

TIA

K

+3  A: 

Unfortunately, you have to take all IP information with a grain of salt.

IP addresses are gathered during the request by taking the packet and request information into account. Sadly, this information can easily be spoofed or even be incorrect (based on a large number of network probabilities) and should not be used for anything more than vanity purposes.

Kevin Peno
Thx for this one, but is there any best practice you could recommend?
KB22
The code in your question is what I've seen as a "best option". It will catch the correct IP in most cases. Just understand that I wouldn't necessarily trust the results.
Kevin Peno
I C and accepted, but could you pls recommend be some reading on how the REMOTE_ADDR etc. are actually set by apache? I'd very much like to understand what's causing me trouble. TIA
KB22