Depend on IP to view restricted page?

[m002.p]

Hi

Anyone know whether or how secure depending on a viewers IP is to then either get access to a restricted page or not?

I have a MYSQL table with up to date member IP's where in a php file I use this code to either enable access or deny it.

PHP Code:

// Declare IP Variable
$ip = $_SERVER['REMOTE_ADDR'];

// MYSQL Permission Check

$usercheck = mysql_fetch_array(mysql_query("SELECT * FROM members WHERE ip='".$ip."' AND now()-session < 1800 AND (rank='9' || rank = '10' || rank='11')"));

if (empty($usercheck))
{
header("Location: denied.php");
}

if (!empty($usercheck))
{
mysql_query("UPDATE distags SET session=NOW() WHERE ip='".$ip."'");
} 


So how secure is the above code? I have a few pages running it which I want restricted and all works well.

However, from a secure PHP point of view, is it possible for someone to fake the users ip, find it out, or just gain access to the restricted page without fufilling the requirement?

Thanks for any constructive advice.

Matt

[Dismounted]

Would it be possible to gain access without actually being the user? Yes. One possibility is someone getting assigned the same IP fairly quickly. Most ISPs issue dynamic IPs. Another possibility is that even when the user has logged out, the computer would still have access to the page.

Is there something stopping you from doing a proper session check?

[m002.p]

As I thought sadly.

I would do the normal session check however unfortunetly I do not know or cannot find a secure way of doing it.

Could you advise please?

Thanks Dismounted.

[Dismounted]

As long as the two sites are on the same server, you can include global.php, this will do all the checking for you.

[blayke]

It is not hard to spoof an IP address and all it takes to find out someone's IP is social engineering or a file transfer over aim or msn.

[m002.p]

I agree blayke, but for my requirements it would be easier said then done