I have some extra features on a site that employees can use but customers are not allowed to see.
The employees are all going to be on a series of domains.
What I do is get the user ip like so:
$user_ip = gethostbyname($_SERVER['REMOTE_ADDR']);
Then I get an array of all the ips for the domains the users will be on using gethostbyname
Then I check if the user is on one of the domains like so:
in_array($user_ip,$allowedIPS)
So if the user is on one of the domains they see additional features for internal use. Otherwise they just see what is meant for the general public.
My questions is, is this secure? Or could someone potentially spoof their IP to appear like they are on our domain and gain access to these features?