Home » Php » PHP – Identifying Individual Users Under Same Router (main IP address)

PHP – Identifying Individual Users Under Same Router (main IP address)

Posted by: admin July 12, 2020 Leave a comment

Questions:

Is it possible to find the IP address of (or otherwise identify) each user on the same “router” or “main IP address”?


Update, clarifying question:

Use-case:
I’d like to be able to track whether each of N individual computer users on a possibly common network has landed on a page.

Currently, using other PHP IP detect snippets on S/O, this seems to only identify all N individual computers on the network as coming from the same IP address. This does not help solve the problem of identifying whether these come from different users on the same network, or if it’s the same user on the network hitting the page several times.

Note: cookies are likely disabled.

How to&Answers:

There is NO definitive way to guarantee user uniqueness on the Internet.

There is no way of telling the difference between a bot and a real user.

Given current trends in computer vision and the captcha avoidance training, it would appear that captcha’s are no longer effective tools for identifying bots.

Behind any PAT(Port Address Translation) combined with NAT, the network structure hides the internal computers. There may be USERAGENT variations, specifying unique computers internally(assuming they were not faked).

But, a set of twenty computers cloned from the same OS source, and behind a PAT, will appear almost identical,the ports will be different, given the randomization of source port mappings and when compounded by the PAT translations, will still appear to an Internet web PHP server as a single computer.

Whether or not the user is the same one, the information cannot be established:

Cookies will only allow the identification of specific computers tied to specific browsers and specific users. If a user wanted to triple or quadruple… themselves, they are able to run different browsers(IE, Safari, FireFox, Chrome, and Opera) or multiple Logins on the same computer(not to mention curl, wget and the many other access methods). It still fails to distinguish single users posing as multiple ones.

There are other network factors such as Tor exit points and proxy servers that further complicate the paradigm.

Given that humans tend towards the same browsing patterns, given enough data, this could be established as a probability that the users are the same, but even this probability could never be certain.(not to mention the random bot patterns).

Logins have more of an effect on the “User Problem”, if you require each user to have a verified email login, you have more of chance of a single user per login, especially if you exclude the common public email domains like hotmail.com and gmail.com and many more. Private domains are almost impossible to corroborate with distinct users. The percentages of trust increases with a well established/known private domain(mit.edu as an example).

In way of a conclusion, this goal of single user identification cannot be reasonably attained to any certainty from clients over the Internet.

There are mitigation techniques available, but, none is foolproof.

Answer:

Not consistently. When NAT is involved it’s best to avoid relying on IP addresses as identifying a specific client; instead consider using cookies to store a session ID for each client and using that information to distinguish between hosts (or user agents) which share a single IP.

Answer:

This might not have been true 4 years ago when this question was first asked. But now most of the internet has an IPv6 address. I know most people currently also have an IPv4 address as well. I would check the connection by the IPv6 address. With IPv6 addresses each machine is supposed to get a different IP address even though it is on the same network.

Use this code to verify you are working with an IPv6 address. And if you are, different devices should have different IP addresses.

<?php
//whether ip is from share internet
if (!empty($_SERVER['HTTP_CLIENT_IP']))   
  {
    $ip_address = $_SERVER['HTTP_CLIENT_IP'];
  }
//whether ip is from proxy
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))  
  {
    $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
  }
//whether ip is from remote address
else
  {
    $ip_address = $_SERVER['REMOTE_ADDR'];
  }
$ip_address = "2001:0db8:85a3:08d3:1319:8a2e:0370:7334";

// Validate ip as IPv6
if (filter_var($ip_address , FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
    echo("$ip_address is a valid IPv6 address");
} else {
    echo("$ip_address is not a valid IPv6 address");
}
?>

Answer:

Most forwarding routers web proxies will put the originating IP address in the X-Forwarded-For header. With PHP, you can access this originating address via:

$_SERVER['HTTP_X_FORWARDED_FOR']

I should also mention that this header is perfectly likely to contain multiple addresses, as the request passes through additional routers proxies. It’s up to you to figure out which address you’re actually interested in.

It’s also fairly trivial to forge the header.

Answer:

Your question is fairly vague and I can think of a few different ways this may be interpreted…

  1. Given you have multiple requests from people from the same external IP (ie. they are on the same network), can you find their local IP address on that network? no. You can’t.
  2. Is it possible to find every machine on the local network (local to the server)? yes – you could implement a network discovery. The absolute simplest way would probably be to open a socket on all possible local IPs and see what happens, and make your judgement based on that. A better method would probably be to PING each potential host, however I don’t know of any system-inspecific way to do it, which means you may need to do some research for yourself as to what would be the best way.

If this doesn’t answer your question, please let me know what it is you are aiming to do and I will adjust my answer.

Answer:

So I have a log file for tracking my users on my Site and I do something like this to get the IP:

if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
    $ip = $_SERVER['HTTP_CLIENT_IP'];
} else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
    $ip = $_SERVER['REMOTE_ADDR'];
}

You could try tracking all of the three above but in cases where users on the same network are appearing with one IP they will usually just have the last one very few will show individual IPs as it would probably be a security risk.

As for different users on the same network I also try track a session id:

$session_id = session_id();

So even if the IP is the same for multiple users they should have different browsing sessions.

If you wanted to track the same user over multiple sessions you can try setting a unique cookie, then even if it is a new session the cookie on that users computer should still exist (presuming they haven’t cleared their cache etc,.) but as you said in your question if cookies are disabled this isn’t an option.