trs28
asked on
PHP $server[REMOTE_PORT] returns null
I am writing a web app in php (Ver 5.0.4) that runs on Win2003 Server( IIS 6.0 ) and need to obtain the client machine port number. When I use $_Server[REMOTE_PORT] or $_env[REMOTE_PORT] it returns null, REMOTE_ADDR works fine. I know this is not a php problem, but does anyone know what I need to do to IIS so I can read the client port? I've tried this app on several Win2K servers with the same result.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check for firewall, a lot of client firewall block port scanning.
Why would you want to know their port.
If they access the site via http the remote port will be 80, if they do it via https it will be 443,
if you run it at the console eg.
c:\>php remote.php
where remove contains the above mentioned script, you will get a null value.
So why do you want to know remote port?
Why would you want to know their port.
If they access the site via http the remote port will be 80, if they do it via https it will be 443,
if you run it at the console eg.
c:\>php remote.php
where remove contains the above mentioned script, you will get a null value.
So why do you want to know remote port?
hernst42 noticed a point that I missed. .htaccess only works in Apache, not in IIS. I suggest you download and intall Apache.
Cheers,
Huji
Cheers,
Huji
D'oh.
I just realized that it was on IIS not apache.
I just realized that it was on IIS not apache.
before that see your server vars.
<?
phpinfo();
?>
<?
phpinfo();
?>
ASKER
Yes, I have tried it with register_globals = On and Off and register_long_arrays = On and Off and I get the same result.
When I run:
<?php
echo $_SERVER['REMOTE_PORT'];
?>
it returns null,
if I run:
<?php
echo $_SERVER['REMOTE_ADDR'];
?>
it returns the IP Address of the client...
---
I know the server port is always 80 but I would like to know what the client port is (which is different each tiime you open a browser) so I can add a higher level of security and prevent someone from backdooring my app (getting in without entering the username and password and using some elses session). Thank you
When I run:
<?php
echo $_SERVER['REMOTE_PORT'];
?>
it returns null,
if I run:
<?php
echo $_SERVER['REMOTE_ADDR'];
?>
it returns the IP Address of the client...
---
I know the server port is always 80 but I would like to know what the client port is (which is different each tiime you open a browser) so I can add a higher level of security and prevent someone from backdooring my app (getting in without entering the username and password and using some elses session). Thank you
Sessions are not dependent on port.
Creating server sessions can't be stolen by someone else, it's connection between browser and server.
Creating server sessions can't be stolen by someone else, it's connection between browser and server.
what is the output of
phpinfo();
phpinfo();
besides, if you want to be blocking ports, you should be doing so on your firewall, not your web server.
Even if you have all ports but 53 and 80 (DNS and HTTP), the connection to these higher random ports are initiated by the server. People can't take the backdoor and connect to a server that only listens on port 80 with all others blocked. If this is for a security purpose, it's a waste of time.
Even if you do receive the number, what will you do with it?
They can't open a connection on any other port other then 80, if your web server and firewall are setup correctly. Even if it's inside your building, your IIS server should be setup to ignore any other requests that are not on port 80.
If they do hack in to the server through another port, it won't be to surf your site, and the security you set up on your script will do you nothing.
All you need is set up proper file permissions, so that the web user only has read access to the root directory and sub directories of the web site, and add a line similar to this.
session_start();
if ($_SESSION['authed'] != 1) {
header("location:http://www.mysite.ca/login.php?error=something");
}
Even if you have all ports but 53 and 80 (DNS and HTTP), the connection to these higher random ports are initiated by the server. People can't take the backdoor and connect to a server that only listens on port 80 with all others blocked. If this is for a security purpose, it's a waste of time.
Even if you do receive the number, what will you do with it?
They can't open a connection on any other port other then 80, if your web server and firewall are setup correctly. Even if it's inside your building, your IIS server should be setup to ignore any other requests that are not on port 80.
If they do hack in to the server through another port, it won't be to surf your site, and the security you set up on your script will do you nothing.
All you need is set up proper file permissions, so that the web user only has read access to the root directory and sub directories of the web site, and add a line similar to this.
session_start();
if ($_SESSION['authed'] != 1) {
header("location:http://www.mysite.ca/login.php?error=something");
}
even the remote port can change from request to request, if the browser does not support keep alive or the keep alive has expired. So checking for Port is no real good to prevent hijacking sessions. Even at some providers the IP changes from request to request due loadbalanced proxies.
A secure method is to use SSL all the time with cookies for session. From my opinion all other things are a lot of effort which don't make things more secure. checking for IP and Port and logout users will result of more bug report (session expired) or users which not use your service as your service is not function as expected.
As mentioned at the begining $_SERVER['REMOTE_PORT'] is undefined on IIS and will not show up in phpinfo().
For a secure implementation of your app to prevent Session hijacking read
http://en.wikipedia.org/wiki/CSRF (special the part about prevention)
also see for secure application programing:
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/SQL_injection
A secure method is to use SSL all the time with cookies for session. From my opinion all other things are a lot of effort which don't make things more secure. checking for IP and Port and logout users will result of more bug report (session expired) or users which not use your service as your service is not function as expected.
As mentioned at the begining $_SERVER['REMOTE_PORT'] is undefined on IIS and will not show up in phpinfo().
For a secure implementation of your app to prevent Session hijacking read
http://en.wikipedia.org/wiki/CSRF (special the part about prevention)
also see for secure application programing:
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/SQL_injection
Something else: For a local web site on my machine, hosted on Apache on port 9090, REMOTE_PORT is returned as "3471". I think the same applies for web sites hosted on port 80; REMOTE_PORT can be different from 80.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well hersnt, you explained it excellent. Thank you.
I am able to get results from Apache on IIS for $_SERVER['REMOTE_PORT'] on the local machine but when posting the script, on a remotely hosted site, I get a null value.
The remote site has Apache on IIS, same as my local machine, but the results are not the same!!!! Any ideas on what the cause of this?
The remote site has Apache on IIS, same as my local machine, but the results are not the same!!!! Any ideas on what the cause of this?
<?php
echo $_SERVER['REMOTE_PORT'];
?>
tell me the result