CODEWITHSUNDEEP
phpsecurity
user1649326
user1649326

Reputation: 257

Non-registration submission, security concern

I've created a simple script that allows a user to post a message, question or discussion on my site. I've not got anything online yet so I can't show you, but one thing I don't want is registration.

I want a simple, streamlined and quick way for anybody to come on to my site and post a message, to which others can respond (also without registration).

My question is about security. I've made it so that a person may edit their own message only if the following conditions are met:

  1. The IP address ($_SERVER['REMOTE_ADDR']) matches the one used to ask the question (I store it in the database).
  2. No more than 20 minutes have elapsed.

I want to know how easy this would be to break, and how I can make it stronger. I'm an absolute newby when it comes to security and I'll state now I have no real interest in this side of development, I'm more of a client/server developer, but my strong point is JavaScript.

I'm not too clued up on networking either. How easy is it to spoof an IP address and also how common is it to find two users with identical addresses? I am thinking about making a session ID which will be stored in a temporary database as a third clause that must exist in order for edits to take place. Of course this means users will not be able to leave the site and come back to edit.

Could anyone give me some advice on the best way to proceed?

Note: I want to make it clear that I absolutely do not want registration, which would eliminate this problem entirely. I want a free to use, public site that anyone can simply come along and use.

Note 2: I've also taken care of the bot problem with a simple piece of JavaScript requiring the user to interact with the site (quicker than CAPTCHA), so no worries here.

Kind regards.

Upvotes: 0

Views: 60

Answers (4)

Alvin Wong
Alvin Wong

Reputation: 12430

IMHO:

Two users using two computers attached to the same router will fail the check, because the two would have the same external IP in the PHP script's point of view.

 __________         __________
| ________ |       | ________ |
||        ||       ||        ||
||________||       ||________||
|__________|       |__________|
     /\                 /\
    ----               ----
192.168.1.101      192.168.1.102

      |                 |
       \               /
        \             /
         \           /
          \         /
           \       /
            \     /
         ____________
        |            |   137.204.xxx.xxx <- This is what you see in your script
        |   ROUTER   |  -----------------  Internet
        |____________|

But I am more concerned when a lot of spammers come to your site and... you know what happens.

P.S. spammers are not necessary bots, a lot of human actually get paid to do the job.

Upvotes: 2

Florin Stingaciu
Florin Stingaciu

Reputation: 8295

I think a better way to handle this is generating a unique session ID and storing it for some amount of time (in your case 20 mintues). Your approach will not work if you have a number of computers attached to the same router as ($_SERVER['REMOTE_ADDR']) will actually return you the routers IP address. Also another possible situation where this might fail could be, if they router hops IP address, then that person will not be able to edit their post. I acknowledge that this a very unlikely situation but hey, you never know.

You can generate a unique session ID in many diffrent ways. One way is 

session_start()
if (!isset($_SESSION['uniqueID'])){
   $_SESSION['uniqeID'] = uniqid(mt_rand(), true);
}

You can store all unique IDs on the server for twenty minutes and when a user wants to do something you could check against this list. This is a fairly complicated way. You could just use cookies. Also I suggest that you limit the number of posts per person for some amount of time. Otherwise spammers will wreck havoc on your post boards.

Upvotes: 1

SomeKittens
SomeKittens

Reputation: 39522

It's very easy to spoof an IP address, but I don't think that'll be your big problem.

The issue is that multiple users may post from the same external IP address if they're behind the same router. I had that problem when my brother and I signed up for the same forum. I've heard of people having issues on SO itself when someone going to the same college got IP banned.

Your best bet would be to create a cookie via $_SESSION so that you can track individual users.

Upvotes: 1

Jeff
Jeff

Reputation: 12183

AFAIK your approach is correct, and you could combine it with a cookie to avoid the multiple-users-on-same-ip problem (of course state this on your site).

Upvotes: 1

Related Questions