0

I want to skip a login process and instead save users' server IP with PHP's "$_SERVER['REMOTE_ADDR']" function and keep them in a database for later identification when activities are performed on my site, now to the question...

Will I have to notify users that I am saving this information from them, just like if I would use cookies?

Matt
  • 2,851
  • 1
  • 13
  • 27
Christopher
  • 55
  • 7
  • 5
    Welcome to StackOverflow! This (part of the) platform is not made for asking questions about ethics or moral. It's about specific problems regarding programming. – manniL Mar 10 '16 at 22:41
  • Thanks. Oh, okey I see, my bad. – Christopher Mar 10 '16 at 22:46
  • 2
    IP does not equal person, 1 person can use many IP's; one IP can be thousands of people. In short your idea will never work –  Mar 10 '16 at 22:49
  • okey but what is the likelyhood that two people in every 100 people get the same IP? I'm not counting on getting alot of visitors and the site's not too likeable for people to wanna use a login service I create on it so this was my workaround... – Christopher Mar 10 '16 at 23:02
  • People with dynamic ips may have a different address each time they visit, how will you authenticate them? – Gavin Mar 10 '16 at 23:08
  • every one in my office, same IP. every one in your university computer lag, same IP, every one connect to the same cell tower (and maybe even provider) same IP .... Me: from home 1IP, work, another, cell phone another (multiple), reboot work or home router new IP .. just use standard username\password like every one else does. –  Mar 10 '16 at 23:09
  • Maybe it's possible that there's specific objective laws that could answer this, but you'd probably need to specify which country... – Jeff B Mar 10 '16 at 23:32

2 Answers2

0

$_SERVER['REMOTE_ADDR'] is

the source IP of the TCP connection and can't be substituted by changing an HTTP header.

And:

While it is technically possible to bidirectionally spoof IP addresses on the Internet (by announcing foul routes via BGP), such attacks are likely to be spotted and not available to the typical attacker - basically, your attacker must have control over an ISP or carrier. There are no feasible unidirectional spoofing attacks against TCP (yet). Bidirectional IP spoofing is trivial on a LAN though.

Reference: Is it safe to trust $_SERVER['REMOTE_ADDR']?

Doing IP address filtering would be a method to reduce surface of attack by having a whitelist of IP addresses, but not doing authentication because it will only authenticate the network address and not the person.

E.g. if somebody else happens to use the same computer, he didn't need to enter any password to get the equivalent features. So you can't enforce accountability at the person level.

However if you used IP filtering in combination of something else, e.g. a PIN number on top of the IP filtering, that's already a bit better.

Community
  • 1
  • 1
Wadih M.
  • 12,810
  • 7
  • 47
  • 57
-1

You don't have to notify. The cookies are notified because of a EU law. Apache, by default, like most other similar programs keeps access logs, and many other tools you probably have in your server. These all save user-ip addresses, anyway. so you are already saving them. https://httpd.apache.org/docs/2.4/logs.html

the problem with this approach is, people on a mobile connection(an entire area using the same IP), on the same house, or using a different browser will share the same IP. Or people travelling on a mobile device will be constantly changing IP's, people with dynamic IP addresses(there are entire countries like this, this is super common)

Imagine you are using two gmail accounts and regardless of the browser, it just logs you in to the same account. Normally one would expect a site to be "fresh" when run in a different browser, for example.

Check out sessions, it is probably what you want.

S00
  • 114
  • 1
  • 4
  • how is sessions what he wants ?!? –  Mar 10 '16 at 23:13
  • he is looking for a way to track a client. For identification, if its about remembering a state, sessions will do a better job by setting a cookie to the clients browser, and they are quite simple. He is looking for using IP as a identification tool so I am not going to say "use a database, keep actual user accounts, verify them, learn about password hashing" – S00 Mar 10 '16 at 23:15
  • its an an unreliable approach as using the IP –  Mar 10 '16 at 23:16
  • yeah, it is. It just solves the "people sharing the same IP" part. – S00 Mar 10 '16 at 23:17
  • it does, unless you come up with devices sharing cookies... dude is asking about using IP for identification, for a wont-be-popular site, obviously he isn't looking for the level of quality you are looking for. – S00 Mar 10 '16 at 23:20
  • please tell the actual problem with this approach then, other than the fact it will forget you once you delete your cookie, change a device. this is far better than relying on IP. – S00 Mar 10 '16 at 23:25
  • plan a. tried and tested works; plan b. high failure rate, why bother with b? why suggest b? why even bring it up? –  Mar 10 '16 at 23:30
  • I'd hardly call a site remembering about you, your state, what you did, until you change your device or clear your cookies "not working". Its more of a "quirky", but whatever, its your opinion. its obviously not as good as a database approach, but this one takes only a few lines of code, maybe a config change to keep the sessions forever. We both agree this is not an ideal solution, but this is perfectly acceptable for an afternoon prototype. – S00 Mar 10 '16 at 23:31
  • because plan a. is using a database system, that has a learning curve and he is looking for something quick, plan b has a lower failure rate than the IP approach. plan a = good, takes time, plan b = meh solution, really quick to develop, IP = worst. do you really not understand this? I mean come on... – S00 Mar 10 '16 at 23:33