Authenticating Users by IP Address
In some rare instances, you may wish to limit access to a certain page or pages to certain IP addresses. It may be because you have an internal network that has a publicly viewable Web site. You may wish to have certain pages be viewable only by certain machines on the internal network.
Or it may be that you have your own remote Web site, and you wish to restrict access to a certain page or pages so that only you, from a static IP address, can access those pages.
These methods work by determining the IP address of the user trying to view the page and checking it against a set value. If the IP address matches, then the page can be viewed.
Note that this method could be fooled by IP spoofing or other hacks, and should not be used to protect sensitive information, such as credit card numbers, proprietary information, or the like. It is a simple method that can protect pages from the majority of users surfing the net.
When using this script, you should be aware that your computer may have more than one IP address, and that the one your browser is reporting to the script may not be the same one you are attempting to verify against. This is especially true when the browser and Web server reside on the same machine, as you will probably encounter when testing the script.
For example, computers have a default local IP address of 127.0.0.1, otherwise known as "localhost." When I start up the Web server and type in "http://localhost", my browser is telling the script that I am at the IP address of 127.0.0.1. However, the Web browser on my computer is also running on the IP address 192.168.0.1 (an IP address used for an internal network). If I type in the IP address 192.168.0.1, my Web browser reports that I am at 192.168.0.1, but the script only accepts the IP address of 127.0.0.1! If you run into problems, try echoing the value of $REMOTE_ADDR to the screen to see which IP address your browser is reporting to the script.
Script 7-3 IP_authentication.php
1. <? 2. $accept = array ("127", "0", "0", "1"); 3. $remote = explode(".", $REMOTE_ADDR); 4. $match = 1; 5. for($i = 0; $i < sizeof($accept); $i++) { 6. if($remote[$i] != $accept[$i]) { 7. $match = 0; 8. } 9. } 10. if($match) { 11. echo "<h2>Access Granted!</h2>"; 12. } else { 13. echo "<h2>Access Forbidden</h2>"; 14. } 15. ?>
Script 7-3. IP_authentication.php Line-by-Line Explanation
LINE |
DESCRIPTION |
2 |
Define an array of the acceptable IP address(es) ranges that can view the page. The array must have at least one item. You can restrict by IP subnets by adding more or fewer items to the array. For example: array("192","168","0","1") limits the users who can view the page to the user with the IP address of 192.168.0.1. array("192","168","0") limits the users who can view the page to the users with an IP address in the range of 192.168.0.1 to 192.168.0.255. array("192","168") limits the users who can view the page to the users with an IP address in the range of 192.168.0.1 to 192.168.255.255. array("192") allows anybody with an IP that starts with 192 to view the page. Not very practical, but it would work! |
3 |
Create an array of numbers based on the user's IP address by exploding the $REMOTE_ADDR global variable on the periods in the IP address. |
4 |
Define a variable, $match, and set it to true (1). |
5–9 |
Loop through the acceptable IP address array. |
6 |
Compare the acceptable IP address segment with the IP address segment of the user's browser. |
7 |
If the IP address segments do not match, then set the $match variable to false (0). |
8 |
Close the if statement. |
9 |
Close the for loop. |
10–11 |
If $match is true, then allow access and print a message to the user. This is where you would present your protected content. |
12–14 |
If $match is false (0), then print out a message telling the users that they cannot access the page and exit from the script. |
15 |
Close the if statement started on line 10. |