Menu
today I came a across a pretty strange behaviour of an php based application of mine. In a certain part of the system there's an UI making use of AJAX-calls to fill list boxes with content from the backend.
Now, the AJAX listener performs a security check on all incoming requests, making sure that only valid client IPs get responses. The valid IP are stored in the backend too.
To get the client's IP I used plain old
$_SERVER['REMOTE_ADDR']
which works out for most of the clients. Today I ran into an installation where remote_addr contained the IP of an network adapter which was'nt that one which performed the actual communication for my application.
Googling around agve me Roshan's Blog entry on the topuic:
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))//check ip is pass from prxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
Sadly the problem persists.
Did anybody ever stumble into this sort of problem (actually I don't think that I discovered a completly new issue ^^) and has an idea for me how to fix this?
EDIT:
I'm on
The communication is done via a regular LAN card. Now the actuall client has several devices more. VMNet adapters and such.
I'm wondering how a client configuration can 'disturb' a web server that much...
TIA
K
710
Unfortunately, you have to take all IP information with a grain of salt.
IP addresses are gathered during the request by taking the packet and request information into account. Sadly, this information can easily be spoofed or even be incorrect (based on a large number of network probabilities) and should not be used for anything more than vanity purposes.
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
