473,396 Members | 1,767 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > http_x_forwarded_for ?

Join Bytes to post your question to a community of 473,396 software developers and data experts.

HTTP_X_FORWARDED_FOR ?

Is there any official documentation on Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Googling I've found everyone repeating the same information - claiming that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?

Thanks,

Vic


Sep 6 '06 #1
3 34124

"Victor" <vi*@vic.comwrote in message
news:u3**************@TK2MSFTNGP02.phx.gbl...
Is there any official documentation on
Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>
Googling I've found everyone repeating the same information - claiming
that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and
that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes
HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP
addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire
string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through
the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?
The x-forwarded-for header is not a standard http header (hence the x-
prefix). It is an attempt by the big proxy server vendors to help ISPs
identify and block abusive IP addresses.

If there are two proxy servers between the client and your server you will
see two IP addresses in the x-forwarded-for header, the clients and one of
the proxy servers. As the requests moves through a proxy server the IP
address of requester is append to the x-forwarded-for header. Hence the
first IP address will be the original client IP and there can be any number
of IP addresses depending on how many proxy servers it passes through.

Anthony.
Thanks,

Vic


Sep 7 '06 #2
"Anthony Jones" wrote...
>
"Victor" wrote...
Is there any official documentation on
Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Googling I've found everyone repeating the same information - claiming that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and
that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes
HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP
addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire
string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through
the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?

The x-forwarded-for header is not a standard http header (hence the x-
prefix). It is an attempt by the big proxy server vendors to help ISPs
identify and block abusive IP addresses.

If there are two proxy servers between the client and your server you will
see two IP addresses in the x-forwarded-for header, the clients and one of
the proxy servers. As the requests moves through a proxy server the IP
address of requester is append to the x-forwarded-for header. Hence the
first IP address will be the original client IP and there can be any number
of IP addresses depending on how many proxy servers it passes through.

Anthony.
Ah! So, if Request.ServerVariables("HTTP_X_FORWARDED_FOR") is not empty, and if it
contains a comma seperated list of IP addresses, then the very first IP address is the
user's real IP address? So, in my original example:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

the user's IP address is definitely IPaddress1?

Since it is not a standard, is there a draft document I can reference?

Thanks,

Vic

Sep 8 '06 #3
Victor wrote:
HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

the user's IP address is definitely IPaddress1?
No. It *might* be, but there is no reason to assume so. That header is
easily spoofed, for one thing. for another, this content differs by proxy
type:

http://www.usemod.com/cgi-bin/mb.pl?AnonymousProxy

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Sep 8 '06 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

21
curly brackets necessary in php?
by: deko | last post by:
Do I need to use curly brackets in PHP if .. else statements? other constructs? Does it matter? What are Best Practices? Why? thanks in advance... This seems to work WITHOUT curly brackets:...
PHP
3
Accessed based off of IP...
by: StinkFinger | last post by:
All, There are certain scripts that I have that only I want to run, both from home and sometimes work. If I add something like this (below) to the scripts, will this keep out unauthorized use (if...
PHP
7
Why is $_SERVER["REMOTE_ADDR"] returning multiple IP Addresses?
by: deko | last post by:
Why is $_SERVER returning multiple IP Addresses? Actually, I'm not sure if it's $_SERVER -- or which if/else statement -- that's the problem, but what I'm getting as a value for $visip looks...
PHP
7
Client's IP address retrival
by: varungupta | last post by:
Hi Group members ! I want to know about a method for detecting client's IP which is running behind a proxy server. I have tried functions available with PHP core but they are returning the...
PHP
10
How to get a client's ip address with ASP.NET
by: Noopur | last post by:
I want to fetch client's ip address as soon as he accesses my web-site built in asp.net.Then i want to store it in my database. Is there any method to achieve this target in asp.net application. If...
ASP / Active Server Pages
2
Unknown IP address?
by: Steven Paul | last post by:
I'm using $ip = isset($_SERVER) ? $_SERVER : $_SERVER; to get a visitor's IP address, but every once in a while I get "unknown, unknown" instead of an address. Is there something I'm leaving...
PHP
7
Is there a way to find IP address?
by: Lad | last post by:
Normaly I can log user's IP address using os.environ . If a user is behind a proxy, I will log proxy's IP address only. Is there a way how to find a real IP user's address? Thank you for help....
Python
6
Source of the user
by: Bob Bedford | last post by:
Hi all, We are having serious problem with scammers on our website To avoid this, we would like not to allow some countries to access our site. Is that possible ? how ? It is really precise ? I...
PHP
7
Obtain real IP address of client
by: Brian Cryer | last post by:
What I'm looking for is a way to tell if two sessions are from the same physical PC or from different PCs (within the same organisation say). This is with the view to possibly enforcing license...
ASP.NET
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!