The following code works to retrieve an IP behind a proxy

<?if (getenv(HTTP_X_FORWARDED_FOR))
{ $ip = getenv(HTTP_X_FORWARDED_FOR);}
else { $ip = getenv(REMOTE_ADDR);}?>

It doesn't work always, but it would be usefull to check if it exists and if so, save this address instead of the proxy-address

but the ip behind the proxy can be spoofed as well but it would be useful anyway :)

ofcourse it can be spoofed , but the same counts IP-addresses not behind a firewall.

I was wondering btw, doesn't this piece of code in session.php:

$HTTP_USER_AGENT=substr($HTTP_USER_AGENT,0,50);
$REMOTE_ADDR=substr($REMOTE_ADDR,0,50);

allow users to spoofe their IP/User agent easily by typing:

url.php?REMOTE_ADDR=1.1.1.1&HTTP_USER_AGENT=blablabla

?

This is from session.php 2.03 btw, didn't take alook at the newest version yet

If it does, it is a bug in PHP. Those are variables that are created from the headers that PHP gets from the webserver.

And we will be making more use of HTTP_X_FORWARDED_FOR in vB3.

John

John is there a timetable for V3's release?

(I.E. Q1, Q2, Q3, of if you're Microsoft QVapor?)

:D

Late Q1/early Q2...spring...April/May...Sometime this year...

Originally posted by tubedogg
Late Q1/early Q2...spring...April/May...Sometime this year...

You mean the public betas or the release?

Either...both...one...the other...;)

:D

Originally posted by John
And we will be making more use of HTTP_X_FORWARDED_FOR in vB3.

John

Nice stuff :)

If it does, it is a bug in PHP. Those are variables that are created from the headers that PHP gets from the webserver.

Ok, (I didn't checked it ,no php on my computer), but wouldn't it be safer to use getenv("REMOTE_ADDR") anyway?

well
that will work if a user is browsing with filtered proxies.
if they browse with non-filtered but slower proxy, then there's nothing you can do about it, the HTTP_X_FORWARDED_FOR will return empty.

Anonymity types:

Anonymous - HTTP Proxy server does not send HTTP_X_FORWARDED_FOR variable to host, this improves privacy since your IP address cannot be logged.


High anonymity - HTTP Servers of this type dont send HTTP_X_FORWARDED_FOR, HTTP_VIA and HTTP_PROXY_CONNECTION variables. Host doesnt even know you are using proxy server an of course it doesnt know your IP address.

Originally posted by nuno
well
that will work if a user is browsing with filtered proxies....

It doesn't work always, but it would be usefull to check if it exists and if so, save this address instead of the proxy-address

yes, but wouldnt that be even more stressful for WOL page?

Originally posted by nuno
yes, but wouldnt that be even more stressful for WOL page?

Nope, hardly; You only have to make an extra variable check (IE check if getenv(HTTP_X_FORWARDED_FOR) is empty). The stress you're talking about is because of converting IP-addresses to domain-names, that's a totally different thing