What are the possible return values for $_SERVER['REMOTE_ADDR'];?

Question

In writing a login module, I want to log IP's as an additional measure for verifying who's on the other side is still the same person on the other side.

I'm using $_SERVER['REMOTE_ADDR'] as one (of many) ways to get the remote machine's IP address. Aside from an IPv4 or IPv6 address, are there any other values i should expect this to return?

Answer 1

There's really no added security to checking IP addresses as these can be easily spoofed and anyone who's savvy enough to be intercepting POST transactions is probably doing this anyways.

Also, you may be potentially annoying legitimate users. Think of the instance where a person may be in a location where there are several free open wifi hotspots. When they get to your login page, they may be connected to one hotspot but by the time they sign in, their machine may have decided another router is a better option and therefore their IP will change. Believe it or not, this may deter some (albeit, very few) easily-frustrated users.

Honestly, I just wouldn't bother. Using SSL, if you can, is usually the best way to go to avoid security issues like the one you're describing. Good luck with your project.

Answer 2

According to the PHP online documentation only an IP address should be returned.

http://us.php.net/manual/en/reserved.variables.server.php

“'REMOTE_ADDR':

The IP address from which the user is viewing the current page.”

Answer 3

The value can be an IPv4 or IPv6 address. Although you will probably only get canonical values be aware that IP addresses can be written in several ways. 192.0.2.1 is the same as 192.000.002.001, 2001:db8::1 is the same as 2001:0db0:0000:0000:0000:0000:0000:0001, etc. IPv4 addresses can even be written in IPv6 notation like ::ffff:192.0.2.1 or ::ffff:c000:0201 if the webserver accepts IPv4 connections on IPv6 sockets. I see that on Linux systems a lot.

Logging IP addresses should not be a problem as long as you reserve enough space. Actually using IP addresses for access control is getting more and more tricky these days. Because big parts of the world have run out of new IPv4 addresses you will see that ISPs have to use NAT on a large scale to keep connecting new customers to the IPv4 internet. These large scale NATs will use a pool of public IPv4 addresses for maybe thousands of customers. One IP address can be used by many customers, and one customer might end up using different addresses from the pool.

In IPv6 tracking the IP address has other things to take into account. The original IPv6 auto-configuration mechanism is based on using the MAC address as part of the IPv6 address. Because of privacy concerns most operating systems now use a (kind of) randomly generated interface identifier (usually the last 64 bits of the address) for outgoing connections, and those bits can/will can change over time. Some operating systems (Mac OS X) even keep statistics on whether IPv4 or IPv6 is faster and I have seen clients switch back and forth between IPv4 and IPv6 on occasion.

And then you can have users that roam from one wireless hotspot or office network to another, thereby switching IP addresses.

So I think logging IP addresses might make sense based on what you want to do with the data, but using them as (part of) a form of access control might cause more trouble than it's worth.