Can $_SERVER['REMOTE_ADDR'] be trusted ?

[tonit]

Hello, I have a website where only a couple of people can access it, so the number of IPs logged in is very limited. Everything submitted by the 'admins' logged in is sent to a specific folder dependent of their IP Address. Again they can't access the website through a proxy or anything because there's a limited range of IPs that is allowed.

 

Can I trust $_SERVER['REMOTE_ADDR'] to give a valid IP so the log-system would be 100 % stable and efficient ?

 

[requinix]

It's not impossible to forge an IP address (but it is incredibly rare). The upside is that it only works on the request - the forger won't get the response.

 

With that said, to log in the client must receive the appropriate cookies (which go in the response). For that to happen the IP address must be correct. If you track the login IP address in the session/database and compare that with the IP address for each sensitive request you should be able to prevent any IP spoofing exploits.

[fugix]

I have heard of $_SERVER['REMOTE_ADDR'] returning the web server IP address, as well as the browser IP address. Have not checked to see if it was fixed however

[requinix]

I'd be surprised if it was a PHP bug (kinda surprised). My first guess would be that the web server had a kind of proxy or load balancer running.

[fugix]

most likely a proxy I agree..just wanted to through it out there

[gizmola]

I'd be surprised if it was a PHP bug (kinda surprised). My first guess would be that the web server had a kind of proxy or load balancer running.

 

Exactly.  If for example, you use a reverse proxy for load balancing, REMOTE_ADDR will be the same for every user.  In that case, PHP will typically load $_SERVER['HTTP_X_FORWARDED_FOR'].  It will often be an array with all the IP addresses that were utilized.