jerrygarciuh has asked for the wisdom of the Perl Monks concerning the following question:

I have as a small security measure used $user = $ENV{'REMOTE_ADDR'}; to record the IP of folks using a news page update script. Can I get Perl give me more useful information about the user than just the IP address?
TIA
jg
_____________________________________________________
If it gets a little bit out of hand sometimes, don't let it fool you into thinkin' you don't care.TvZ

Replies are listed 'Best First'.
(ichimunki) Re: How can I get useful info from $user = $ENV{'REMOTE_ADDR'};
by ichimunki (Priest) on Dec 15, 2001 at 01:19 UTC
    Well, so far two VERY contradictory answers. What to do?

    Believe them both. The typical web user is not forging or altering their HTTP headers, although in some cases the information may not be terribly useful. But anyone who wants to can easily insert just about any value they like into those fields (potentially even values that pose security threats-- so remember to use taint for added safety). To get a list of every value available to you in a CGI (which will depend on which browser you run this test with), you can run a little script like: 
    #!/usr/bin/perl -wT
use strict;

my $CGI = new CGI;

print( $CGI->header(),
       $CGI->start_html( -title => 'Save the Environment' ),
       $CGI->h1( 'Here are the $ENV variables I see' )
      );
print $CGI->p( "$_ = $ENV{$_}" ) for ( keys %ENV );
print $CGI->end_html();

    [download]
    (please note the code above is untested).
[reply]
[d/l]
Re: How can I get useful info from $user = $ENV{'REMOTE_ADDR'};
by dws (Chancellor) on Dec 15, 2001 at 01:30 UTC
    I have as a small security measure used $user = $ENV{'REMOTE_ADDR'}; to record the IP

    Proxy servers and NAT (network address translation) can provide major barriers to getting useful information from $ENV{'REMOTE_ADDR'}. For instance, if you've got a set of users coming in from, say, AOL, they'll all appear to have the same IP address.

    If you want to identify individual users, you're going to have to resort to some manner of login/session tracking or browser via cookie. See merlyn's WebTechniques articles for suggestions.

    REMOTE_ADDR is hard for the casual hacker to forge, but if someone serious comes after you, you have other problems.

[reply]
[d/l]
[select]
Re: How can I get useful info from $user = $ENV{'REMOTE_ADDR'};
by clintp (Curate) on Dec 15, 2001 at 01:06 UTC
    Short answer: No. Everything in the HTTP conversation can be a lie. The address can even be a lie if there's a proxy involved.
[reply]
Re: How can I get useful info from $user = $ENV{'REMOTE_ADDR'};
by Moonie (Friar) on Dec 15, 2001 at 01:08 UTC
    You can also get the user name and other information. They're all CGI Environment Variables. Check here to see more. - Moon
[reply]
Re: How can I get useful info from $user = $ENV{'REMOTE_ADDR'};
by Fastolfe (Vicar) on Dec 15, 2001 at 21:08 UTC
    I would not trust any "implicit" attempt at authenticating the user, via IP address, hostname, whatever. If you're looking at securing your application, you might want to consider distributing UserID's for your users and requiring them to authenticate when they enter the protected area of your site.

    Unfortunately, if you automate user creation, you're stuck in the same boat unless you take extra steps to try and verify the user's identity. Even requiring a valid e-mail address before their username is accepted isn't always a fool-proof way of establishing identity, as Hotmail accounts are available to anyone that wants one (or 10).

[reply]

Back to Seekers of Perl Wisdom