PHP Web Services – Authentication Based on Client’s IP

Same as web pages, web services also sometime require  client authentication. The most frequent way of authentication is the use of WS-Security Username token which authenticate clients based on the username and passwords. There can be situations where clients need to be authenticated based on its IP or its domain.

If you are writing web services from PHP (Using some PHP web service framework like WSF/PHP), You can use the PHP variables, $_SERVER[“REMOTE_ADDR”] and $_SERVER[“REMOTE_HOST”] to find the clients ip within the service logic code. If the client’s IP is static you can directly use the $_SERVER[“REMOTE_ADDR”] and if it is dynamic you can use the $_SERVER[“REMOTE_HOST”] which will be derived by reverse DNS look of the clients IP.

Here is one example of the use of these $_SERVER[] variables inside service logic.

function members_only_func($in_message) {

    // getting the clients IP.
    $remote_addr = $_SERVER["REMOTE_ADDR"];

    if($remote_addr == "" ||
       $remote_addr == "") {
       // generates the message for authenticated clients.

       return $valid_out_message;

    // otherwise throw an exception
    throw new WSFault("Sender", "Failed to Authenticate");

$operations = array("membersOnlyOp" => "members_only_func");

$service = new WSService(array("operations" => $operations));

This entry was posted in php, SOA, Tutorial/Guide, web services, wsf/php, wso2 and tagged , , , , , , . Bookmark the permalink.

6 Responses to PHP Web Services – Authentication Based on Client’s IP

  1. Nabeel says:

    This comment is not directly related what you are pointing out in this entry. However, it may serve as a precautionary measure. In the absent of filtering at routers/firewalls, this method is vulnerable to IP spoofing attacks. Therefore, in such situations IP based authentication should not be used as a replacement to other authentication methods, such as WS-Sec username-token, but rather as a complement if the operation being protected is very sensitive.

  2. dimuthu says:

    Hi Nabeel,
    Thanks for the note.
    I think I got what you are pointing out. Server possibly determine the source IP from the header of the IP packet, which can be easily regenerated with a fake source IP by some attacker.
    Here I was answering to the problem asked in the forum, I will mention your note in there too.


  3. nik says:

    hi Dimuthu You have done good job for Ip based authentication.
    But here I have done using username password based authentication.
    You can check it from this link.


  4. Mangal says:

    Hi Dimuthu,

    Thanks for writing the article.

    Dimuthu, as Nabeel says that IP based authentication can be spoofed what happen if we restrict the access of our webservice by apache access control also. Is this add some more security?

    Please suggest, i am waiting your reply.


  5. dimuthu says:

    Sure. If apache access control is used, you can avoid IP spoofing attacks. If you are using WSF/PHP you can use username token, that would do authentication in application level with more control. See here,

  6. Mangal says:

    Thank you, Dimuthu,

    I am using PEAR::SOAP in our application that’s why can’t use your “authentication by username token”. if you have any other idea to secure PEAR::SOAP web-service then please update me. it will help me lot.

    Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *