0

I'm working on a website that is part Classic ASP and part PHP. There's a process that checks the user's IP address on the PHP side, then confirms in ASP that the user is on the same IP. (This is part of a system to share logins between the two systems, but prevent hijack attacks.)

PHP saves the IP to a MySQL database. Then ASP queries MySQL to check the IP is the same address as PHP saved.

PHP $_SERVER['REMOTE_ADDR'] = 10.1.4.113

ASP Request.ServerVariables( "REMOTE_ADDR" ) = 10.1.5.9

Can anyone tell me where I'm going wrong here? (other than "using VBScript" ;-) ? )

Stephen R
  • 3,512
  • 1
  • 28
  • 45
  • It appear's that ASP may be returning the **server's** IP instead of the user's. Hmmm... – Stephen R Apr 11 '17 at 17:58
  • `Request.ServerVariables("REMOTE_ADDR")` is the way to get a user's IP address in Classic ASP, you'll need to show some more code. How does your php file call your asp file? – John Apr 11 '17 at 19:53
  • Question is already answered (though SE won't let me "accept" my own answer right away...), but for the record you asked a great question. PHP is calling ASP via HTTP, thus ASP is apparently seeing the Server as the "remote user", instead of the actual human user who called the PHP page. – Stephen R Apr 11 '17 at 19:56
  • I suppose in light of that, I should simply have ASP check that the "remote user" has an IP that matches the server ASP itself is running on -- i.e. Request.ServerVariables("LOCAL_ADDR") – Stephen R Apr 11 '17 at 20:02
  • Just as I suspected. PHP and ASP are both server side, so if the http request which calls the asp page is made by php code (I'm not a php expert but I'd guess you're using `curl()`), then the server is acting as the client. There are one or two ways to achieve what you were trying to do originally. You need to get your client side code to request the asp page "behind the scenes", possibly with an ajax call or an invisible iframe – John Apr 12 '17 at 09:35
  • What I have to do is convince the code to use the same session. For PHP this is easy — just set the session name, then set it again at the start of each internal call using session_id(). VBScript has no equivalent function. I've opened a separate question for that issue here: http://stackoverflow.com/q/43357406/339440 – Stephen R Apr 12 '17 at 10:56
  • There are a few questions on here and elsewhere regarding sharing session variables between Classic ASP and ASP.net which might be useful as background reading. Often the solution involves writing your "session" to the database. http://stackoverflow.com/questions/4751398/is-it-possible-to-share-session-state-between-asp-classic-and-asp-net – John Apr 12 '17 at 13:58
  • I created a new question because the one I posed here was clearly answered. RE ASP session switching: https://stackoverflow.com/questions/43357406/set-sessionid-in-classic-asp – Stephen R Apr 12 '17 at 14:02

1 Answers1

1

Question answered (and I'm feeling foolish). PHP is making the call to the ASP page. Therefore as far as the ASP end is concerned, the Server itself is the "remote user". PHP sees the user's IP. ASP see's the Server as the "user", thus the IPs don't match.

Stephen R
  • 3,512
  • 1
  • 28
  • 45