Is It Safe to Trust $_Server['Remote_Addr']

Is it safe to trust $_SERVER['REMOTE_ADDR']?

Yes, it's safe. It is the source IP of the TCP connection and can't be substituted by changing an HTTP header.

One case you may want to be worry of is if you are behind a reverse proxy in which case the REMOTE_ADDR will always be the IP of the proxy server and the user IP will be provided in an HTTP header (such as X-Forwarded-For). But for the normal use case reading REMOTE_ADDR is fine.

Can $_SERVER['REMOTE_ADDR'] be trusted?

$_SERVER['REMOTE_ADDR'] cannot be modified by the user or via HTTP so you CAN trust it.

Is $_SERVER['REMOTE_ADDR'] secure?

Due to the three way handshake of TCP/IP - $_SERVER['REMOTE_ADDR'] cannot be spoofed. There is (however) no guarantee that this is the IP address of the end user. He may be behind proxy or VPN. What you can guarantee with $_SERVER['REMOTE_ADDR'] is that the machine which is directly connected to you has this exact IP and it is real.

How to safely use $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_USER_AGENT']

$_SERVER['REMOTE_ADDR'] is created by the webserver, it's safe and reliable. It's always just an IP address in numeric format, you don't need to sanitize it.

$_SERVER['HTTP_USER_AGENT'] comes from the client, and it can contain anything. If you're going to store it in the database or display it, you need to treat it like any other user-supplied input.

Reliability of PHP'S $_SERVER['REMOTE_ADDR']

That variable is filled with data provided by Apache (or another web server daemon) and should be reliable in identifying the IP address on the other end of the connection, yes. Check for 127.x.x.x (almost always 127.0.0.1) and ::1 (for IPv6). As Senica says, it may not always exist (for example, when running from the command line rather than through the web server). But if it is filled, it should be reliable.

To be able to fake it, somebody already needs pretty extensive access to your network and system in a way that you can't protect against with PHP anyway.

Is it safe to trust request.remote_addr in VPN setup

The REMOTE_ADDR will always be the IP of the TCP connection emitter, there is no way to modify it for a potential attacker (except proxy). But there is a vulnerability if someone can access to one of your user's network (as they will have a valid IP). So if you can really trust your users personal network security, yes it is safe, otherwise no.

Handling PHP errors with $_SERVER['REMOTE_ADDR'] reliable?

$_SERVER['REMOTE_ADDR'] is the address taken from the three-way confirmed TCP handshake. It's pretty darn robust. To fake it you have to fake the actual underlying TCP/IP connection, which is usually a tall order.

What I would be concerned about instead is changing IPs. 127.0.0.1 is probably pretty safe, but your home IP may change eventually and somebody else may get it assigned. This may not be a large problem, or it may be. Or you may appear to have the same IP as a large number of other users, with ISPs switching to carrier grade NAT over time.

All in all, using IPs at all as an identification system is flaky. IPs are an implementation detail of a data transport mechanism, nobody has ever said anything about IPs being suitable for internet-wide identification of users. I'd at least pair it with a secret cookie that needs to be set or a regular authentication that needs to have been established.

How secure is to assume that if $_SERVER['SERVER_ADDR'] === $_SERVER['REMOTE_ADDR'], is the server the one making the request?

The best solution is using a secure password.

You won't have to worry about faked ip addresses or other possible insecure check that way, as long as your check only allows correct passwords.

if ($_GET['password'] === 'my_password') {
    // code
}

Consider using a secure compare function to avoid timing attacks.

Login security: can I trust php's $_SERVER['REMOTE_ADDR']?

Bad idea.

I used to be on a big network that had multiple IP addresses. Every request I made was assigned to one of the IP addresses by a load balancer. Effectively this meant that my IP address was rarely the same in two consecutive requests. I would be logged out of your system every time I loaded a page.

You could try using $_SERVER['HTTP_USER_AGENT'], as this will require the cookie thief to either have the exact same browser or (assuming the threat model allows for sufficiently skilled vandals) to forge the exact same UA string. That said, if you don't tell anyone you check the UA string, it could be puzzling to less-skilled hackers to work out what your server is rejecting about the "perfect good" session cookie.


Related Topics

How to Install MySQLi on Macos

How to Return Integer and Numeric Columns from MySQL as Integers and Numerics in PHP

PHP: Merge 2 Multidimensional Arrays

Truncate Text Containing Html, Ignoring Tags

PHP Fatal Error: Call to Undefined Function Mssql_Connect()

Is PHP Compiled or Interpreted

PHP Fileinfo Is Undefined Function

PHP Server on Local Machine

PHP Redirect to Another Page After Form Submit

Elegant Way to Search For Utf-8 Files With Bom

Replace Mcrypt With Openssl

Save Image from Url With Curl PHP

PHP Error: Cannot Modify Header Information - Headers Already Sent

Why Does PHP 5.2+ Disallow Abstract Static Class Methods

Check If a User/Guest Has Purchased Specific Products in Woocommerce

Adding One Day to a Date

Find Highest Value in Multidimensional Array

Crop Image in PHP


Leave a reply



Submit