IPv6 to IPv4 or How This Really Works in PHP

Ok I agree with you in some subjects, but some questions were raised about you, also you helped me to make my admin are 1000% more secure. I use the two account login system now, login as regular user to regular user account, that has admin unique parameter. And after logged in to the account I can see the admin login at /admin(no more 404 error page), so now I can enter admin logins and access the admin area(so two accounts need to be active to browse admin).

Anyways I removed the IP access, it’s deprecated in future anyways. I don’t get that If I want to add extra IP security to anywhere, you say it is pointless and doesn’t do any good for the security?

Nothing is 100% secure, but you can add EXTRA(additional) security example through IP or any other means from hiding through extra passwords etc , why not?

If an hacker gets through the IP system the next step is the login system, so, at least he needed to crack the IP system before he can start cracking the login system, it’s called EXTRA security, don’t make hackers life easier, but harder, using any means possible. If I talk about IP-s I talk about additional security option .

You have only one login away to access your admin commands, and people use the same login page as admins? I also seen these sites…

If your users somehow crack your script like:
Some little script hole, like if your admin account is using the same MySQL table as a regular user, old script. it would be a security risk, because all accounts can update the table.

and this is one security issues why I use separate admin controls and db table or both. Programmed online shopping carts and other widely used scripts are actually not as secure they can make them, because they need to make everything as simple as possible for the clients.

IP isn’t safe thing, nothing like that, it never has been safe solution, it’s more like a forced solution against SPAM. no other option is possible, sessions and cookies are more pointless than IP’s in subject of preventing SPAM and user abuse.

If you have any means that are better than IP monitoring(not talking about account security in this case), please let me know.

I think the thing with IP is that it’s not intended to be used for security, it’s purely there on a network level to enable the various hosts to talk to each other. As soon as anyone noticed a massive take-up of internet access, and therefore a massive take-up of allocated IP addresses, some people started working on a way to expand the address range (which became IP v6) and lots of others worked on ways to crank out a bit more life from the existing protocol because it would be ages before a new one is working and implemented. So this leads to dynamic IP addresses, IP sharing, tunnelling, VPNs and all sorts of things that don’t take into account what kind of stuff people might use the IP for outside of its intended use.

I’ve done IP-based things myself in the past, I’ve been in the position you’re in, for example in our office system I’d figure out what default printer to send stuff to based on the users client IP address. Worked great until someone decided to replace all the individual PCs with a single terminal server, and now they all report the same IP. The point is, you need to be sure you’re in total control of the stuff you’re using for security and validation.

You’re not getting the point. As @droopsnoot has said above, IP addresses were NEVER meant to be part of security. It was NEVER supposed to be used for it either. You keep saying “additional security”, but what “additional security” does it make if it’s the first in line and someone “cracks” (in your own words) it? I don’t understand the benefits this system of yours have. Other than be annoyance to you in the end, I find no use of it at all.

Again, you are wrong. You only see 1 part of the pie and it’s the crust you are only looking at. My system requires a user to have a stronger password than

password123

You are required to have at least

• One capital letter.
• One numeric character.
• One special character.
• Password has to be no less than 8 characters.

So if you were try to rainbow table my system, you would have to basically try and brute force it. Simply because I use up-to-date codes which I highly doubt you are. Probably using md5 or something for your password encryption.

Again, you fail to have a basic grasp of PHP. A user can’t simply “update the table” at will. You HAVE to be the admin in order to ACTUALLY update tables. And simply trying to “crack” an admin password is not as simple as you think because again, my password requirements are much stronger than you think. And there are more than 1 billion ways of setting up a password using my requirements.

Oh right, but wait. You’re probably going to ask “But can;'t a user hijack another user’s account and simply do that with an admin account and gain admin access?”

And the answer is no. If the regular user tries and use something like a cookie manager or cookie cutter to modify the ID that they are set on on their end, they get logged off right away. This is to avoid any account hijacking.

What “extra passwords” are you even talking about? Putting passwords in hidden fields on screen is a major security risk as it intentionally gives the attacker a clear target to hit. You mentioned in the first couple of posts above saying that you can “display anything you want in the URL”. This also is not a safe way to deal with any password authentication because if the attacker sees anything that is client side. They can manipulate as they see fit.

Again, this coming from someone who used to be as green as you in PHP. I changed my ways because I was hacked once using the same system you are proposing right now. And you keep ignoring the fact this IS NOT an “additional security” as you put it. This is just another way to put the hassle on you when you change service providers.

I personally agree with your saying that in PHP “users can’t just update the table” or scripts be “cracked” like that, but some ppl disagree, and are super cautious.

Please try to make less assumptions, you think too much in a wrong direction. You don’t get the primary point here, the big picture, you can use many ways, use one way or no way, you decide, I have done explaining…

Thank you all

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.