Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PHP $server[REMOTE_PORT] returns null

Posted on 2007-10-12
15
Medium Priority
?
1,855 Views
Last Modified: 2013-12-13
I am writing a web app in php (Ver 5.0.4) that runs on Win2003 Server( IIS 6.0 ) and need to obtain the client machine port number. When I use $_Server[REMOTE_PORT] or $_env[REMOTE_PORT] it returns null, REMOTE_ADDR works fine. I know this is not a php problem, but does anyone know what I need to do to IIS so I can read the client port?  I've tried this app on several Win2K servers with the same result.
0
Comment
Question by:trs28
  • 4
  • 4
  • 3
  • +3
15 Comments
 
LVL 14

Expert Comment

by:huji
ID: 20066570
Do you code it correctly? Create a page like this:


<?php
echo $_SERVER['REMOTE_PORT'];
?>


tell me the result
0
 
LVL 48

Accepted Solution

by:
hernst42 earned 750 total points
ID: 20066620
This option is only available if you use apche.
To see which variables are set by which webserver see http://koivi.com/apache-iis-php-server-array.php

AFAIK no setting IIS can enable this
0
 
LVL 17

Expert Comment

by:nplib
ID: 20066645
Check for firewall, a lot of client firewall block port scanning.
Why would you want to know their port.

If they access the site via http the remote port will be 80, if they do it via https it will be 443,

if you run it at the console eg.
c:\>php remote.php
where remove contains the above mentioned script, you will get a null value.
So why do you want to know remote port?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 14

Expert Comment

by:huji
ID: 20066745
hernst42 noticed a point that I missed. .htaccess only works in Apache, not in IIS. I suggest you download and intall Apache.

Cheers,
Huji
0
 
LVL 17

Expert Comment

by:nplib
ID: 20066855
D'oh.
I just realized that it was on IIS not apache.
0
 
LVL 20

Expert Comment

by:Gawai
ID: 20068265
before that see your server vars.
<?
phpinfo();
?>
0
 

Author Comment

by:trs28
ID: 20068490
Yes, I have tried it with register_globals = On and Off and register_long_arrays = On and Off and I get the same result.
When I run:
<?php
echo $_SERVER['REMOTE_PORT'];
?>
it returns null,
if I run:
<?php
echo $_SERVER['REMOTE_ADDR'];
?>
it returns the IP Address of the client...
---

I know the server port is always 80 but I would like to know what the client port is (which is different each tiime you open a browser) so I can add a higher level of security and prevent someone from backdooring my app (getting in without entering the username and password and using some elses session). Thank you
0
 
LVL 17

Expert Comment

by:nplib
ID: 20068514
Sessions are not dependent on port.

Creating server sessions can't be stolen by someone else, it's connection between browser and server.
0
 
LVL 20

Expert Comment

by:Gawai
ID: 20068551
what is the output of
phpinfo();

0
 
LVL 17

Expert Comment

by:nplib
ID: 20068602
besides, if you want to be blocking ports, you should be doing so on your firewall, not your web server.

Even if you have all ports but 53 and 80 (DNS and HTTP), the connection to these higher random ports are initiated by the server. People can't take the backdoor and connect to a server that only listens on port 80 with all others blocked. If this is for a security purpose, it's a waste of time.

Even if you do receive the number, what will you do with it?

They can't open a connection on any other port other then 80, if your web server and firewall are setup correctly. Even if it's inside your building, your IIS server should be setup to ignore any other requests that are not on port 80.
If they do hack in to the server through another port, it won't be to surf your site, and the security you set up on your script will do you nothing.

All you need is set up proper file permissions, so that the web user only has read access to the root directory and sub directories of the web site, and add a line similar to this.

session_start();
if ($_SESSION['authed'] != 1) {
            header("location:http://www.mysite.ca/login.php?error=something");
}
0
 
LVL 48

Expert Comment

by:hernst42
ID: 20068687
even the remote port can change from request to request, if the browser does not support keep alive or the keep alive has expired. So checking for Port is no real good to prevent hijacking sessions. Even at some providers the IP changes from request to request due loadbalanced proxies.

A secure method is to use SSL all the time with cookies for session. From my opinion all other things are a lot of effort which don't make things more secure. checking for IP and Port and logout users will result of more bug report (session expired) or users which not use your service as your service is not function as expected.

As mentioned at the begining $_SERVER['REMOTE_PORT'] is undefined on IIS and will not show up in phpinfo().
For a secure implementation of your app to prevent Session hijacking read
http://en.wikipedia.org/wiki/CSRF (special the part about prevention)

also see for secure application programing:
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/SQL_injection

0
 
LVL 14

Expert Comment

by:huji
ID: 20069164
Something else: For a local web site on my machine, hosted on Apache on port 9090, REMOTE_PORT is returned as "3471". I think the same applies for web sites hosted on port 80; REMOTE_PORT can be different from 80.
0
 
LVL 48

Assisted Solution

by:hernst42
hernst42 earned 750 total points
ID: 20069299
Of course is remote port different from server port, as the connection, outgoing from the client, uses a high unallocated port on the client side. This is needed by the TCP/IP stack to reassign incoming packets to the application which opened the port. In firewall terms packets send to the client with that port are related to the initial connection made from that port to the defined server port.

http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_ports
Arriving TCP data packets are identified as belonging to a specific TCP connection by its sockets, that is, the combination of source host address, source port, destination host address, and destination port. This means that a server computer can provide several clients with several services simultaneously, as long as a client takes care of initiating any simultaneous connections to one destination port from different source ports.

From the server side REMOTE_PORT is the source port in TCP, selected randomly by the client.
0
 
LVL 14

Expert Comment

by:huji
ID: 20070404
Well hersnt, you explained it excellent. Thank you.
0
 

Expert Comment

by:interac
ID: 37767337
I am able to get results from Apache on IIS for $_SERVER['REMOTE_PORT'] on the local machine but when posting the script, on a remotely hosted site, I get a null value.
The remote site has Apache on IIS, same as my local machine, but the results are not the same!!!! Any ideas on what the cause of this?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
This video teaches users how to migrate an existing Wordpress website to a new domain.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses
Course of the Month20 days, 23 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question