I am working on a PHP application that uses authentication / session / cookies. The login pages use HTTPS, whereas others use the plain HTTP.
As a part of strengthening the server security against session hijack, we used the REMOTE_ADDR check.
While this worked well when the application is used through DSL Internet connection, it started to fail when used via Dial-up.
Upon investigation, we found that the IP address assigned to the client computer did not change on every request. The problem was that the Dial up provider connected to the Internet using a proxy server (for plain HTTP pages), but connected directly to the server for HTTPS. Hence, the REMOTE_ADDR for login page (HTTPS) was the client computer's assigned IP address, but for the subsequent pages the REMOTE_ADDR was the address of the proxy server.
We tried using the quoted code to check for the HTTP_X_FORWARDED_FOR when forwarded by Proxy server. While this worked for one of the Dialup providers, it did not work for the another Dialup service provider, as they did not seem to set the HTTP_X_FORWARDED_FOR when forwarded by Proxy.
Can you please suggest a solution for such a situation (i.e., a good check to avoid session hijack for all possible users)? The application is meant mainly for users from Guyana, South America.
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
$ip = $_SERVER['REMOTE_ADDR'];