5

how to identify remote machine uniquely in proxy server environment, i have used $_SERVER['REMOTE_ADDR'] but all machines in proxy network has same IP Address, is there any way

Kara
  • 6,115
  • 16
  • 50
  • 57
Suriyan Suresh
  • 2,964
  • 14
  • 51
  • 80

7 Answers7

12

Don't ever depend on information that is coming from the client. In this case, you're running up against simple networking problems (you can never be sure the client's IP address is correct), in other cases the client may spoof information on purpose.

If you need to uniquely identify your clients, hand them a cookie upon their first visit, that's the best you can do.

deceze
  • 510,633
  • 85
  • 743
  • 889
8

Your best bet would be :

 $uid = md5($_SERVER['HTTP_USER_AGENT'] .  $_SERVER['REMOTE_ADDR']);

however, there's no way to know if they changed their user agent or different browser.

OneOfOne
  • 95,033
  • 20
  • 184
  • 185
  • 2
    If just two people behind the same proxy use the same browser this doesn't work. – deceze Jul 29 '09 at 04:58
  • Exactly, there's no way to 100% be sure who it is, you can use combos of different $_SERVER vars and pray they would be unique in one way or the other. – OneOfOne Jul 29 '09 at 05:02
4

You could use some other headers to help, like these ones (ones that come to mind when looking at a dump of $_SERVER) :

  • HTTP_USER_AGENT
  • HTTP_ACCEPT
  • HTTP_ACCEPT_LANGUAGE
  • HTTP_ACCEPT_ENCODING
  • HTTP_ACCEPT_CHARSET

Using several informations coming from the client will help differenciate different clients (the more information you use, the more chances you have that at least one of those is different between two clients)...

... But it will not be a perfect solution :-(

Depending on the kind of proxy software and it's configuration, there might be a header called X-Forwarded-For, that you could use :

The X-Forwarded-For (XFF) HTTP header is a de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. This is a non-RFC-standard request header which was introduced by the Squid caching proxy server's developers.

But I wouldn't rely on that either : it will probably not always be present (don't think its' required)

Good luck !

Pascal MARTIN
  • 395,085
  • 80
  • 655
  • 663
  • X-Forwarded-For can be useful for this exact situation. You can't rely on it, especially for uniqueness, but it is useful. – zombat Jul 29 '09 at 06:07
  • I wouldn't suggest combining an IP address with `USER_AGENT` to identify people. Browsers like Chrome auto-update, which changes the string all the time. Some browser strings also reflect installed plugins which may change. Even if you just extract the browser name you're never really sure it hasn't been tampered with. – Robbert May 07 '13 at 15:22
1

I do not think there are other ways to do what you want. This is because the proxy server proxies the clients' requests and acts on their behalf. So, the clients are virtually hidden from the server's point of view. However, I may be wrong.

Alan Haggai Alavi
  • 72,802
  • 19
  • 102
  • 127
1

If you are aware of the proxy server, I think that implies this is some kind of company LAN. Are you in control of the LAN? Perhaps building and installing some ActiveX plugin which sends a machine-unique ID to the server might be the solution.

In general, HTTP proxy servers are not required to send the IP of their client. So every request sent by a proxy looks like it came from the proxy's IP. (Although the wikipedia has some mention of custom headers some proxies send to forward the client's ip.)

It gets even worse when an HTTP proxy is itself using another HTTP proxy - the server getting the request will only get the IP of the last proxy in the chain, and there's no guarantee that the 2nd proxy is even aware that the 1st proxy wasn't a regular client!

Shalom Craimer
  • 20,659
  • 8
  • 70
  • 106
  • I expect more people to use VPNs in the future, so $_SERVER['REMOTE_ADDR'] will increasingly become useless due to proxying. We need a new Web standard so each user or client connection can be identified in some way, so users can work with their own data on various websites or at various times. – David Spector Jun 14 '21 at 18:03
  • Cookies. Since the GDPR, they are an acceptable compromise between identification and privacy. Users who don't want to accept can deny cookies. Users who want to be identified can accept cookies. – Shalom Craimer Jun 16 '21 at 03:38
1

There is currently no way of doing this as you don't get information about the MAC address, and even that can be wrong, as if there are 2 network cards like a wired one or wireless one.

The best thing to do is locally to get JavaScript to write and read to local storage and send that saved setting back to your server with an Ajax command. This still isn't perfect as if they clear their cache, the setting is lost.

user1401768
  • 65
  • 6
  • The problem is that the Ajax transaction happens while the website is running, so the PHP program creating the website pages has no way to see the Ajax transaction. In other words, there is no way to communicate data from JavaScript, which runs on the client, back to a running PHP program. – David Spector Jun 14 '21 at 18:00
0

JKS,

Remote machines do not have unique identifiers. This is impossible.

Usually developers like to track machines when the end-user visits a page with a form like a login for security reasons.

Here is what I do: I store a cookie, a session variable and use the new html5 localStorage to track folks on my sensitive pages. This is really the only way to do this accurately. The nice thing about localStorage (when browsers can do this), the end-user typically has no idea you are storing stuff on their machine and deleting cookies has no effect.

So you might make a database table with tracking details like: timestamp, ip_address, user_agent

then let's say you are tracking failed login attempts.. I would do this:

if(isset($_SESSION['failed_logins'])) {
        $failed_logins = $_SESSION['failed_logins'];
        $_SESSION['failed_logins'] = ($failed_logins + 1);
} else {
        $_SESSION['failed_logins'] = 1;
}

I would then do the same for with setcookie() and then the localStorage script..

Now I am tracking this person and know how many times they are failing a login..

I would then write this user's data to my failed_login table as described above.

I'm sure this isn't the answer you were looking for, but it really is the best way to track users on your site.

Kevin Florida
  • 6,659
  • 3
  • 23
  • 20
  • 1
    Please don't store number of failed login attempts in a session variable. In the end, `$_SESSION` is just another cookie tracked by Apache. The user would only have to delete the cookie containing the session ID to reset its failed login attempts. Instead, a good solution would be to save a timestamp of the last three failed login attempts for each user in your database. If all three of those took place within 5 minutes from `now()`, disallow login attempts. – Robbert May 07 '13 at 15:25