0

I have created a polling system for my institute which uses the client's IP-address to identify unique voters. I have used $_SERVER['REMOTE_ADDR'].

The problem is that the institute uses a LAN and hence all users have same global IP. So, only one user is able to vote.

How to get the local IP of the voting person?

Here is the code snippet I have used : 

if(!isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip = $_SERVER['REMOTE_ADDR']; 
} else {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
Spontifixus
  • 6,570
  • 9
  • 45
  • 63
Ankit
  • 19
  • 4

4 Answers4

2

In the case of NAT, you cannot get the internal IP in your server side code.

faffaffaff
  • 3,429
  • 16
  • 27
  • May I ask what does NAT mean in this particular case? – Nikola Jun 25 '13 at 14:27
  • 2
    NAT means Network Address Translation, which is when clients on a LAN are hidden behind a single gateway IP address. The internal network address is rewritten (translated) to the gateway's public IP address, and then the gateway will translate in reverse when receiving replies. This is all an "invisible" process to the rest of the internet. – faffaffaff Jun 25 '13 at 14:29
2

In case of IPv4 most client addresses are masked behind NAT, on your server side you ONLY see the globally routable address which is the router's own global address.

In case of IPv6 the local address for all intents and purposes will be the same as the global one, so you'll find that in $_SERVER['REMOTE_ADDR'].

That being said, I'd also like to caution you against using the X-Forwarded-For header for ANYTHING unless it comes from a trusted source (e.g. your own reverse proxy). The client can set this header to an arbitrary value and can cause some funny or even dangerous bugs to be triggered.

On a practical note I'd like to add that using the IP address to limit how many times one can vote is a somewhat broken practice since I rent at the moment a block of 16 IP addresses and I know people who can get their hands on a full C-sized block (255 addresses) and you'll be blocking lots of people behind provider NAT's and such. In case of IPv6 everyone will have billions of addresses anyway, so the whole concept of IP blocking will be a lot more broken.

I recommend you tie the voting to something a bit more stable like phone number or e-mail registration if possible.

Janos Pasztor
  • 1,265
  • 8
  • 16
  • Thanks Janoszen. i agree with you. But using user registration will significantly reduce the amount of participation i am getting as it requires a little bit more time. I will be happy if you could suggest a way other than registering the user. – Ankit Jun 25 '13 at 15:11
  • Absolutely, that's a business decision. Just be aware of the tradeoffs. SMS verification for example works pretty well and it's not that expensive. You could verify a user once, then store a long expiry cookie to identify him. Services like Twillio make this real easy. – Janos Pasztor Jun 25 '13 at 15:24
  • Storing a cookie is not reliable as one can clear cookies and cast multiple votes. – Ankit Jun 25 '13 at 15:39
  • If he has no cookie, he has to verify via phone number to get a new validation cookie. Unless he has access to two phones, he can't vote twice. Alternatively you can also request a phone verification every time. Evercookie is also worth exploring. – Janos Pasztor Jun 26 '13 at 07:07
  • 1
    You could get the internal IP using javascript, then pass to PHP using AJAX POST – kurdtpage Apr 30 '18 at 23:49
0

It is not possible to get the local IPs of computers behind a shared connection. And you can make another tip to identify unique voters: 1- Send a cookie to voter machine with key and Unique value add this to Global IP

$_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']

2- You can add another factor, like the user agent string (Browser) that tends to differ And operating system version or gets the standard host name for the local machine.

Ahmed Atta
  • 363
  • 1
  • 7
  • That's not really going to keep anyone from cheating, it's too easy to fake. Otherwise what would the point of checking the IP be in the first place? – Janos Pasztor Jun 25 '13 at 15:25
-1

you can't i think, nat is born for this.

Federico Ricciuti
  • 11
  • 2