php web based portal authentication through IP

Question

i have a web portal running which involves basic data entry. The issue being that this is highly sensitive data. And the credibility of the data entry personel is very low. Therefore i have implemented recording of IP when an entry is made. The Problem i am facing is if this if this person starts forwarding his IP from a proxy server then i am unable to track authenticity of the data.

How do i detect if the IP forwarding is happening/ get the real ip address of the person.

Answer 1

You can check the X-Forwarded-For header. However, if they are using an anonymous proxy, you won't be able to retrieve the ip. You might be better off implementing a stronger username/password policy, i.e., forcing password changes often.

Answer 2

The point of some proxy servers is to not reveal the real IP of the user. However, some proxies supply a HTTP header such as "X-Forwarded-For" or "X-Real-IP". But those headers should neither be taken granted nor should they be trusted. A user might as well just put another faked IP in there.

Basically, using the IP address as a user identifier is not reliable.

Another way to identify a user is cookies. The most simple case: You store the user ID into a cookie and store it with the data. Now the user may use browser privacy modes that flush cookies soonishly.

A way around that might be storing the user ID in different places too. See, for example, evercookie. It tries really hard, to never ever loose the user ID. But then again, the user could just change computers and you might not be able to track that. You can't be 100% sure.

Answer 3

You can't. Not in any reliable fashion.

You will only ever know the IP address of the request sender with 100% certainty. Whether this sender is a proxy or not can't be reliably detected. If it's a proxy, there's no way to get the originating IP address (reliably).

Require user logins with strong passwords or otherwise enhance your authentication mechanism.