Creating a PHP ACL and even Rat out Users using Proxies!
Now before some snotty nosed individual points out that ACLs can be done via .htaccess, let me cover my arse by saying although it can be done that way, we're not doing it that way. More technically speaking, however, albeit Apache is the better way it's not the most practical way due to the manual updating of .htaccess files. Unless you wish to parse the file - which is not advised for security and speed reasons, then PHP is the way to be heading.
With the disclaimer out the way and placed nicely in a corner, let's move onto the world of ACLs. Imagine you have a nasty little imp on your website who's causing all sorts of mischief, wouldn't it be nice to not only ban him, but out-smart him when he thinks he'll use a proxy to bypass the ban? Let me state for the record though that we can never truly ban anyone. You see, a little networking background is unfortunately required. HTTP is a layer 3 protocol in the TCP suite, and frankly, it doesn't give a monkeys - this is more technically defined as a stateless protocol. However, HTTP is not alone, IP also plays its part. IP is a layer 3 protocol which is your fingerprint on the Internet. IP addresses can be spoofed, but using the TCP suite spoofing an IP is pointless because the returning SYN-ACK will be returned to the wrong location. Nonetheless, connections can be relayed via a middle-man server - a proxy server. A proxy server receives your query and then acts on your behalf for the connection to the end location - then finally returns the data to you. Fundamentally, the connection from the proxy to the server will use the proxy's IP address, not yours.
Technical stuff over. The conclusion we can draw from the above paragraph is that an IP address can be spoofed in the sense that a middle-man server is involved in the equation. Bugger!
Let's now jump into the code, bear in mind that I'm using a pre-defined array but this array can quite easily come from a database table.
The code is all good and well, it will find the user, and as the
Let me introduce you to a HTTP header attribute that is optional! Remember that as we can never rely on it completely (although I know of a popular forum package that used to rely on it completely). X_FORWARDED_FOR is that very attribute. When an end-user connects to the proxy server and accesses a web-page, all being well, the proxy server should attach the header attribute with the end-user's IP address. If for instance my IP address is 22.214.171.124 then my HTTP header may look something like the following:
Note: I've tried the 2 most common web-based proxies to see if they set the X_FORWARDED_FOR attribute. Unsurprisingly they do not but who's going to use a web-based proxy for any great length of time? Let me also take this moment to share a piece of mind on how terribly coded I think CGIProxy and PHProxy are.
Note: We're using regular expressions to check if the IP address in the X_FORWARDED_FOR attribute is a valid IP address consisting of 4 octets. As it's header attribute it could be absolutely anything so this ensures that we do not let any junk through.
To take this even further, and to be somewhat of a cliché, we could also set a cookie. Albeit I'm not going to show you how to do this for 2 reasons:
OK, OK! Just for those who are sat there shaking their heads profusely right now, let me show you how to set a cookie in this instance:
Thankfully now we have got rid of our irritating gremlin who has been creating incessant problems on your website. Gone for good! Well, not quite, admittedly, but it's as good it's going to get unless you don't mind sacrificing a little speed to check for open proxies before any of the website is displayed. IRC servers tend to check for open proxies but this is only due to the fact that most people expect IRC connections to take a good 10 seconds. Most people expect and even demand with attitude that web-sites load in the blink of an eye.
|All times are GMT. The time now is 07:43 PM.|
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0