Binary Tides

$_SERVER['REMOTE_ADDR'] or getenv(’REMOTE_ADDR’) is often used to find the remote users or visitors IP address on a website. But this value may not be the real ip address of the user who just visited the site. If the user is behind a proxy then the value of $_SERVER['REMOTE_ADDR'] will the IP address of the proxy server rather than the real user.

The $_SERVER super global has more fields which can be used to indicate the real IP address of the user incase he is behind a proxy. HTTP_FORWARDED_FOR , HTTP_CLIENT_IP , HTTP_X_FORWARDED_FOR are few such fields.

Similar more fields are :
HTTP_PRAGMA
HTTP_XONNECTION
HTTP_CACHE_INFO
HTTP_XPROXY
HTTP_PROXY
HTTP_PROXY_CONNECTION
HTTP_CLIENT_IP
HTTP_VIA, HTTP_X_COMING_FROM
HTTP_X_FORWARDED_FOR
HTTP_X_FORWARDED
HTTP_COMING_FROM
HTTP_FORWARDED_FOR
HTTP_FORWARDED
ZHTTP_CACHE_CONTROL

So if $_SERVER['HTTP_X_FORWARDED_FOR'] is set and has a valid IP address then it is likely to be real IP of the user and $_SERVER['REMOTE_ADDR'] is the IP of a proxy server which is behind which the user is.

But the extra fields like $_SERVER['HTTP_X_FORWARDED_FOR'] cannot be relied upon to be the real IP of the user incase they appear to be set to a valid IP address. For e.g. a user can send false HTTP headers with these values set to a random IP address say 10.0.0.1 . Now if the server checks them and ignores the value of $_SERVER['REMOTE_ADDR'] then it is likely to detect a wrong IP.

One idea could be that in case any of the extra fields is set to valid IP address value then check whether the IP given by $_SERVER['REMOTE_ADDR'] is that of a proxy server or not.

Popularity: 7% [?]

Bookmark It