Journal NeoThermic's Journal: IP Spoofing? 4
Consider this. You've got an application which records users IP addresses when they access, say a PHP script. According to HTTP headers, you've generally got two ways of knowing the users IP. One is to use $_SERVER['REMOTE_ADDR'], and the other is $_SERVER['HTTP_X_FORWARDED_FOR']. Which do you trust the most?
What happens, say, you trusted HTTP_X_FORWARDED_FOR over REMOTE_ADDR, and someone indicated that using FireFox, it is trivial to spoof the former. Would you change your code to use REMOTE_ADDR, or would you argue that anyone can also spoof their REMOTE_ADDR using proxies and other such things?
I would be intrested in hearing your thoughts on this issue.
NeoThermic
Re:Neither (Score:2)
I'm not also reffering to spoofing to gain access one normally wouln't have, more as spoofing to hide ones "real" (as best as one can get) IP.
I would be intrested in more of your thoughts as to which you would chose under the confines of this idea.
NeoThermic