Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 22 Jan 2009, 18:07
m002.p's Avatar
m002.p m002.p is offline
 
Join Date: Jan 2007
Real name: Matt
Depend on IP to view restricted page?

Hi

Anyone know whether or how secure depending on a viewers IP is to then either get access to a restricted page or not?

I have a MYSQL table with up to date member IP's where in a php file I use this code to either enable access or deny it.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

So how secure is the above code? I have a few pages running it which I want restricted and all works well.

However, from a secure PHP point of view, is it possible for someone to fake the users ip, find it out, or just gain access to the restricted page without fufilling the requirement?

Thanks for any constructive advice.

Matt
__________________
www.sog-team.co.uk
Reply With Quote
  #2  
Old 23 Jan 2009, 05:09
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
Would it be possible to gain access without actually being the user? Yes. One possibility is someone getting assigned the same IP fairly quickly. Most ISPs issue dynamic IPs. Another possibility is that even when the user has logged out, the computer would still have access to the page.

Is there something stopping you from doing a proper session check?
__________________
Former vBulletin.org Staff Member

View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #3  
Old 23 Jan 2009, 18:54
m002.p's Avatar
m002.p m002.p is offline
 
Join Date: Jan 2007
Real name: Matt
As I thought sadly.

I would do the normal session check however unfortunetly I do not know or cannot find a secure way of doing it.

Could you advise please?

Thanks Dismounted.
__________________
www.sog-team.co.uk
Reply With Quote
  #4  
Old 24 Jan 2009, 04:45
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Real name: Hanson
As long as the two sites are on the same server, you can include global.php, this will do all the checking for you.
__________________
Former vBulletin.org Staff Member

View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #5  
Old 24 Jan 2009, 07:00
blayke blayke is offline
 
Join Date: Nov 2007
It is not hard to spoof an IP address and all it takes to find out someone's IP is social engineering or a file transfer over aim or msn.
Reply With Quote
  #6  
Old 24 Jan 2009, 11:37
m002.p's Avatar
m002.p m002.p is offline
 
Join Date: Jan 2007
Real name: Matt
I agree blayke, but for my requirements it would be easier said then done
__________________
www.sog-team.co.uk
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Restricted Page... Chris M vBulletin 2.x Full Releases 7 08 Jul 2002 04:16



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 15:07.

Layout Options | Width: Wide Color: