D
D
Dmitry2021-11-22 09:43:56
PHP
Dmitry, 2021-11-22 09:43:56

Is it hard to spoof an IP address when requesting $_SERVER['REMOTE_ADDR']?

Good afternoon, dear forum participants. Please help with advice.
I have a website whose database records active tokens after authentication. The database contains information:
ID of the token
Key of the token
Active token or not ( 0 or 1 )
And the IP address from which the authorized user entered.
There is also a separate PHP script on the site that works by itself. This PHP script before starting work makes a request to the database of the main site and compares the IP from the database with $_SERVER['REMOTE_ADDR'] and if they match and there is an active token with that IP, then the script continues to work.

Question: It turns out that the decision to run the script or not is only based on the match of the IP address. How accurate is the check reliable and is it difficult to fake an IP address in my case.

Answer the question

In order to leave comments, you need to log in

4 answer(s)
I
Ipatiev, 2021-11-22
@Dima07-100

As far as I remember networking technologies, which the question "Is it possible to forge an IP address" actually refers to, it is possible to forge an outgoing address in a TCP header. And such request will be checked. But the answer to it will go to this fake IP. That is, the connection will be terminated at the TCP handshake stage.
From this we can conclude: it is possible to forge an address, but this will not help to do something malicious.
If you put normal tags on this question, and not taken from the ceiling, then real experts in this matter will answer.

R
Rsa97, 2021-11-22
@Rsa97

In general, such a check is harmful.
The user can work through an unstable connection. Then, at each reconnection, it can be given a new IP address.

A
Aetae, 2021-11-22
@Aetae

Firstly: ip should not be used for this at all, this is a changeable thing.
Secondly: in theory REMOTE_ADDR, you can’t fake it, but that’s in theory, because every kaka on your side likes to replace it for convenience. For example, you can often find a similar hole deep in someone else's code:

if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { 
$xffaddrs = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']); 
$_SERVER['REMOTE_ADDR'] = $xffaddrs[0]; 
}

A
Armenian Radio, 2021-11-22
@gbg

A whole microdistrict, or even a city, can sit on the Internet from one address. So your check is just crap.
Use normal queues (RabbitMQ, Kafka) and don't farm.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question