Logging a safe reliable IP address, which one?

Forum Moderators: coopster

Message Too Old, No Replies

Logging a safe reliable IP address, which one?

Remote_addr Http_x_forwarded_for Http_client_ip

jezzer300

8:58 pm on Nov 4, 2005 (gmt 0)

Previously I had always used $_SERVER['REMOTE_ADDR'] to get and validate a users IP address. Recently my credit card auth company (nochex) started returning the users IP address too, although sometimes different to my IP check on a user just before they get their address.

Probably they are using HTTP_X_FORWARDED_FOR.

Anyhow, it appears HTTP_X_FORWARDED_FOR could be modified by the sender and REMOTE_ADDR is more reliable. Which ways of getting the user IP are reliable if any, otherwise I'll stick with REMOTE_ADDR, which can be a router/proxy server.

FYI, I did read all the users comments in uk.php.net/getenv and found this routine, which is of interest, but uses that unreliable HTTP_X_FORWARDED_FOR.

if (getenv("HTTP_CLIENT_IP")) $ip = getenv("HTTP_CLIENT_IP");
else if(getenv("HTTP_X_FORWARDED_FOR)) $ip = getenv("HTTP_X_FORWARDED_FOR");
else if(getenv("REMOTE_ADDR")) $ip = $_SERVER['REMOTE_ADDR'];
else $ip = "UNKNOWN";

What do you know?

physics

11:13 pm on Nov 4, 2005 (gmt 0)

You could log 'em all ;)

physics

3:53 am on Nov 7, 2005 (gmt 0)

By the way I wasn't trying to be flippant ;) It might be good to have all of the IPs in case of fraud. Then you'd know what proxy they used if they used one and if that proxy tells you what ip it's forwarding for you'd possibly know their original IP.

jezzer300

9:37 am on Nov 7, 2005 (gmt 0)

Ta, I was thinking of doing that.

Which IP address will not change during a session, providing the user doesn't disconnect.

It appears $_SERVER['REMOTE_ADDR'] could change, what's the story with the others?