Menu
Forums
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Trending
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Upgrades
Log in
Register
What's new
Search
Search
Search titles only
By:
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Menu
Log in
Register
Navigation
Install the app
Install
More options
Contact us
Close Menu
Forums
Software Development
Programming
[PHP 7.3^] Kooser Directory.
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Kooser6" data-source="post: 453480" data-attributes="member: 85580"><p>This is extra validation that is not needed, if you first check the `HTTP_` vars i can spoof any IP. ANY is the key word. Even a valid IP that is not mine. The reason `REMOTE_ADDR` is the best option is it can not be spoofed. Apache populates `REMOTE_ADDR` from a TCP socket that it uses to communicate with your browser. It is impossible to influence this variable over the open internet because of the <a href="http://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml" target="_blank">three-way-handshake</a>. If the client and the server is on a broadcast network, like wifi, then you can sniff the wire and complete the handshake. The best way is to first see if `REMOTE_ADDR` is a trusted proxy, if so then use the proxy header, else just use `REMOTE_ADDR`. From a security standpoint validating `REMOTE_ADDR` is pointless. To sum this up the way i am using `REMOTE_ADDR` is to just protect each individual user from session hijacking, why would i use `HTTP_` vars that can be spoofed.</p></blockquote><p></p>
[QUOTE="Kooser6, post: 453480, member: 85580"] This is extra validation that is not needed, if you first check the `HTTP_` vars i can spoof any IP. ANY is the key word. Even a valid IP that is not mine. The reason `REMOTE_ADDR` is the best option is it can not be spoofed. Apache populates `REMOTE_ADDR` from a TCP socket that it uses to communicate with your browser. It is impossible to influence this variable over the open internet because of the [URL='http://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml']three-way-handshake[/URL]. If the client and the server is on a broadcast network, like wifi, then you can sniff the wire and complete the handshake. The best way is to first see if `REMOTE_ADDR` is a trusted proxy, if so then use the proxy header, else just use `REMOTE_ADDR`. From a security standpoint validating `REMOTE_ADDR` is pointless. To sum this up the way i am using `REMOTE_ADDR` is to just protect each individual user from session hijacking, why would i use `HTTP_` vars that can be spoofed. [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Software Development
Programming
[PHP 7.3^] Kooser Directory.
Top