Topic: get_remote_address() - incorrectly detecting users IP address

As this is my first post here, let me start by saying what a great piece of software punbb. Thank you for creating it. There was a definite need in the php forum genre for something like this!

However, with the release of 1.2.11, I've noticed a bit of a problem with the detection of the users IP address. It's not a bug as such, just more of a problem. It hasn't personally been a problem for me, but I believe this could cause some minor issues with registration in future, as well as cause problems for a lot of existing users elsewhere.

I used to work for an ISP, and we used to get lots of complaints from customers because they could not access such and such a site. It turns out the forum software was incorrectly detecting their IP address. This happened, because these people were transparently being routed through proxy servers on their way out onto the web. So, the forum software was detecting the IP address of the proxy server, rather than that of the users machine. When you consider that the proxy servers could serve up to 50000 people or more, then it became a bit of a problem for the busier sites when 50 or so people couldn't access the forum because 1 user had been banned.

It's in the function get_remote_address().

The way around it, is instead of using $_SERVER['REMOTE_ADDR'], is to use $_SERVER['HTTP_X_FORWARDED_FOR'] if it exists. If it doesn't, then revert to $_SERVER['REMOTE_ADDR'].

i.e. in functions.php, replace:



function get_remote_address()
{
    return $_SERVER['REMOTE_ADDR'];
}




with something like:


function get_remote_address()
{
    if ($_SERVER['HTTP_X_FORWARDED_FOR'])
    {
        return $_SERVER['HTTP_X_FORWARDED_FOR']
    }
    else
    {
        return $_SERVER['REMOTE_ADDR'];
    }
}

If you need me to demostrate the problem, then I can do so, but let me know as I'll need to use a different machine on a different connection as my current one is not proxied.

Cheers. smile

Re: get_remote_address() - incorrectly detecting users IP address

It seems your solution has been removed in 1.2.10 :S I have it in my 1.2.7 functions.php

3 (edited by Smartys 2006-02-28 22:06)

Re: get_remote_address() - incorrectly detecting users IP address

It was removed because it is simple for, say, a hacker to spoof his IP address using X_FORWARDED_FOR. Thus, it shouldn't be relied upon. You can, of course, write a mod to store both IPs

But get_remote_address() is detecting IPs just fine smile

And as for the exact change:
http://dev.punbb.org/changeset/286

Re: get_remote_address() - incorrectly detecting users IP address

OK fair enough.

I don't know how many ISP's use transparent proxies throughout the world, but for any that do, this could cause a problem ( I know there's at least several million people in the UK who are proxied this way).

Cheers

Re: get_remote_address() - incorrectly detecting users IP address

danoob wrote:

OK fair enough.

I don't know how many ISP's use transparent proxies throughout the world, but for any that do, this could cause a problem ( I know there's at least several million people in the UK who are proxied this way).

Cheers

That's true, but relying solely on it is the wrong thing to do smile
Like I said, if it becomes enough of an issue for someone, I'm sure a mod can be written to store both IPs

Re: get_remote_address() - incorrectly detecting users IP address

as the php manual says, the $_SERVER['remote_addr'] is not reliable for exactly that reason. As soon as you go through a new server, you are no longer being seen from your ip, and only the ip of the server. This is why proxies were invented and being used.

Re: get_remote_address() - incorrectly detecting users IP address

Thing is, REMOTE_ADDR is less reliable in that it can be assigned to several users, but it's more reliable in that it's a lot harder to spoof.

"Programming is like sex: one mistake and you have to support it for the rest of your life."