2

I'm working on a php application. I need to access unique clients ip addresses. $_SERVER['REMOTE_ADDR'] returns client ip address, but the problem is that value is identical for users who visit my site via one modem or router. In fact my server identifies him as a one visitor. How can I differentiate between some users that use one real ip address?

EDIT

I don't want to use cookie based solution. Cookie is not a reliable solution. I want to identify users from it's ip, not cookie.

hamed
  • 7,939
  • 15
  • 60
  • 114
  • 2
    http://stackoverflow.com/questions/3922658/best-way-to-identify-a-user-uniquely and http://stackoverflow.com/questions/3940179/detecting-a-unique-anonymous-user and http://stackoverflow.com/questions/15966812/user-recognition-without-cookies-or-local-storage – Mike Sep 01 '16 at 19:55
  • My guess: you can't. But, you can try setting some sort of cookies and check for them, but is the your try to access anonymous, you loose this too. – lcssanches Sep 01 '16 at 19:56
  • `Sessions` and `Cookies` are really the only viable way to do so without relying on third-party browser plugins such as Java or Flash. Since the server is assigning an ID to the client for later validation. Otherwise you would be relying on client-side provided data anyway, that would be just as unreliable as cookies and sessions. Perhaps elaborate on the purpose for the differentiation, so we can look at specific use-cases. – Will B. Sep 01 '16 at 21:11

1 Answers1

0

Fyryre is partly correct (there are other solutions, but sessions and cookies are probably the right solution).

Saying you want to differentiate between users is somewhat vague. Do you want to identify the user? Identity the device being used? Do you want to associate this with another piece of information such as a name or email address? Do you want this differentiation to persist for any length of time? If so then an ip address associated with a single user is no use.

Cookie is not a reliable solution

It's a very reliable solution unless you do something stupid like putting usernames in there.

There are complementary approaches you can use where someone is deliberately falsifying the information they present to you/impersonating others, even when they have compromised credentials, but without knowing what you are trying to achieve nor the threat model, its impossible to advise.

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • Thank you for your response. I'm implementing an analytic system and I need to identify users for this purpose. I want to differentiate between users who use an identical ip address, and save an analytic record for each users. But, if I rely on PHPSESSSIONID or other browser cookie, a user can delete those cookies and so, another analytic record will save for him/his. As a result, my analytic system will not have real and exact information. – hamed Sep 02 '16 at 05:04
  • That doesn't answer the question. There is a huge difference between an analytic system for capturing marketing information and an analytic system for investigating fraud. Nor have you mentioned the jurisdictions that this applies in and how you intend to address any regulatory constraints. – symcbean Sep 02 '16 at 09:36