Is it safe to trust $_SERVER['REMOTE_ADDR']?

Question

Is it safe to trust $_SERVER['REMOTE_ADDR']? Can it be substituted by changing the header of request or something like that?

Is it safe to write something like that?

if ($_SERVER['REMOTE_ADDR'] == '222.222.222.222') { // my ip address
    $grant_all_admin_rights = true;
}

Adding to the existing answers, it will always be the IP address that made the request to your server, but that doesn't mean it's the IP address of the computer that started the request. Any number of proxy servers could be in-between you and the end user, and the closest one to you is the IP address you get. — Dan Grossman, Jan 23 '11 at 13:23
yes it's safe because can't be subtituted by another tricks or some cheating. but make sure you add more check for $grant_all_admin_rights variable. — Yuda Prawira, May 12 '11 at 06:10
Any $_SERVER variable can be spoofed - e.g. curl_setopt( $ch, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $ip", "HTTP_X_FORWARDED_FOR: $ip")); So it depends entirely on the context: if the attacker is expecting a response, it will go back to $ip. If they don't care about the response, they can certainly spoof the header. If your code after the header check instead said: "open_the_door_to_badguys();" you would have a problem. — TMG, May 23 '13 at 02:49
@TMG You can't spoof the `$_SERVER['REMOTE_ADDR']` variable by setting an HTTP request header. PHP automatically prefixes all HTTP request headers with `HTTP_` when creating keys in the `$_SERVER` superglobal. — MrWhite, Dec 08 '15 at 00:07

score 115 · Accepted Answer · edited Aug 22 '12 at 23:09

115

Yes, it's safe. It is the source IP of the TCP connection and can't be substituted by changing an HTTP header.

One case you may want to be worry of is if you are behind a reverse proxy in which case the REMOTE_ADDR will always be the IP of the proxy server and the user IP will be provided in an HTTP header (such as X-Forwarded-For). But for the normal use case reading REMOTE_ADDR is fine.

edited Aug 22 '12 at 23:09

sam

40,318
2
41
37

answered Jan 23 '11 at 13:10

sagi

5,619
1
30
31

4

What about IP address spoofing? – Abdull Mar 10 '15 at 17:24
1

@Abdull The people who can do that are usually the same people who have physical access to your box. so don't worry about it that much. – Behrooz Aug 15 '15 at 19:48
5

@Abdull IP spoofing can only send messages one way, you can't spoof your IP and get a message in return. – Aug 20 '16 at 23:02
1

Aren't internet routers checking the source and destination IP to route packets? I doubt that a spoofed packet will ever reach the destination across internet nodes. – Viktor Joras Oct 13 '18 at 13:37

phihag · Answer 2 · 2013-07-12T13:06:13.630

59

$_SERVER['REMOTE_ADDR'] is the IP address the TCP connection came in on. While it is technically possible to bidirectionally spoof IP addresses on the Internet (by announcing foul routes via BGP), such attacks are likely to be spotted and not available to the typical attacker - basically, your attacker must have control over an ISP or carrier. There are no feasible unidirectional spoofing attacks against TCP (yet). Bidirectional IP spoofing is trivial on a LAN though.

Also be aware that it may be not be an IPv4, but an IPv6 address. Your current check is fine in that regard, but if you would check that 1.2.3.4 only occurs anywhere within $_SERVER['REMOTE_ADDR'], an attacker could simply connect from 2001:1234:5678::1.2.3.4.

Summarily, for anything other than critical (banking/military/potential damage >50.000€) applications, you can use the remote IP address if you can exclude attackers in your local network.

edited Jul 12 '13 at 13:06

answered Jan 23 '11 at 13:19

phihag

278,196
72
453
469

6

You sound very informed about the Internet Protocol. – Brian Peterson Nov 02 '13 at 01:17
@phihag, Whether `$_SERVER['REMOTE_ADDR']` is the IP address the TCP connection came in on depends entirely on your SAPI. – Pacerier Mar 05 '15 at 21:31
its far from infeasable for an attacker on a WEP/WPA WLAN to kick the real client off, and spoof that ip address - both WEP and WPA have weaknesses that makes spoofing `you have been kicked off the wlan` packets easy to create with the right tools. google `WPA downgrade test`, for instance – hanshenrik Nov 22 '17 at 09:28
The IP address is IP level not TCP level. – Viktor Joras Oct 13 '18 at 13:38

score 4 · Answer 3 · answered Jan 23 '11 at 17:45

4

As mentioned above, it's not absolutely safe. But it doesn't mean, that you shouldn't use it. Consider combine this with some other methods of authentication, for instance checking COOKIE values.

answered Jan 23 '11 at 17:45

Audio

476
6
12

7

After spoofing an IP address, changing the http request and sending false cookies is a piece of cake..... (or a piece of cookie) – Uri Goren Feb 15 '16 at 20:14
2

Please explain what you mean by "not absolutely safe" – Jake Oct 11 '17 at 04:44

Is it safe to trust $_SERVER['REMOTE_ADDR']?

3 Answers3

Linked

Related