472,352 Members | 1,531 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > http_x_forwarded_for ?

Join Bytes to post your question to a community of 472,352 software developers and data experts.

HTTP_X_FORWARDED_FOR ?

Is there any official documentation on Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Googling I've found everyone repeating the same information - claiming that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?

Thanks,

Vic


Sep 6 '06 #1
3 33919

"Victor" <vi*@vic.comwrote in message
news:u3**************@TK2MSFTNGP02.phx.gbl...
Is there any official documentation on
Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>
Googling I've found everyone repeating the same information - claiming
that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and
that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes
HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP
addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire
string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through
the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?
The x-forwarded-for header is not a standard http header (hence the x-
prefix). It is an attempt by the big proxy server vendors to help ISPs
identify and block abusive IP addresses.

If there are two proxy servers between the client and your server you will
see two IP addresses in the x-forwarded-for header, the clients and one of
the proxy servers. As the requests moves through a proxy server the IP
address of requester is append to the x-forwarded-for header. Hence the
first IP address will be the original client IP and there can be any number
of IP addresses depending on how many proxy servers it passes through.

Anthony.
Thanks,

Vic


Sep 7 '06 #2
"Anthony Jones" wrote...
>
"Victor" wrote...
Is there any official documentation on
Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Googling I've found everyone repeating the same information - claiming that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and
that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes
HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP
addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire
string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through
the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?

The x-forwarded-for header is not a standard http header (hence the x-
prefix). It is an attempt by the big proxy server vendors to help ISPs
identify and block abusive IP addresses.

If there are two proxy servers between the client and your server you will
see two IP addresses in the x-forwarded-for header, the clients and one of
the proxy servers. As the requests moves through a proxy server the IP
address of requester is append to the x-forwarded-for header. Hence the
first IP address will be the original client IP and there can be any number
of IP addresses depending on how many proxy servers it passes through.

Anthony.
Ah! So, if Request.ServerVariables("HTTP_X_FORWARDED_FOR") is not empty, and if it
contains a comma seperated list of IP addresses, then the very first IP address is the
user's real IP address? So, in my original example:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

the user's IP address is definitely IPaddress1?

Since it is not a standard, is there a draft document I can reference?

Thanks,

Vic

Sep 8 '06 #3
Victor wrote:
HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

the user's IP address is definitely IPaddress1?
No. It *might* be, but there is no reason to assume so. That header is
easily spoofed, for one thing. for another, this content differs by proxy
type:

http://www.usemod.com/cgi-bin/mb.pl?AnonymousProxy

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Sep 8 '06 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

21
curly brackets necessary in php?
by: deko | last post by:
Do I need to use curly brackets in PHP if .. else statements? other constructs? Does it matter? What are Best Practices? Why? thanks in...
PHP
3
Accessed based off of IP...
by: StinkFinger | last post by:
All, There are certain scripts that I have that only I want to run, both from home and sometimes work. If I add something like this (below) to the...
PHP
7
Why is $_SERVER["REMOTE_ADDR"] returning multiple IP Addresses?
by: deko | last post by:
Why is $_SERVER returning multiple IP Addresses? Actually, I'm not sure if it's $_SERVER -- or which if/else statement -- that's the problem, but...
PHP
7
Client's IP address retrival
by: varungupta | last post by:
Hi Group members ! I want to know about a method for detecting client's IP which is running behind a proxy server. I have tried functions...
PHP
10
How to get a client's ip address with ASP.NET
by: Noopur | last post by:
I want to fetch client's ip address as soon as he accesses my web-site built in asp.net.Then i want to store it in my database. Is there any method...
ASP / Active Server Pages
2
Unknown IP address?
by: Steven Paul | last post by:
I'm using $ip = isset($_SERVER) ? $_SERVER : $_SERVER; to get a visitor's IP address, but every once in a while I get "unknown, unknown"...
PHP
7
Is there a way to find IP address?
by: Lad | last post by:
Normaly I can log user's IP address using os.environ . If a user is behind a proxy, I will log proxy's IP address only. Is there a way how to...
Python
6
Source of the user
by: Bob Bedford | last post by:
Hi all, We are having serious problem with scammers on our website To avoid this, we would like not to allow some countries to access our site....
PHP
7
Obtain real IP address of client
by: Brian Cryer | last post by:
What I'm looking for is a way to tell if two sessions are from the same physical PC or from different PCs (within the same organisation say). This...
ASP.NET
0
Hyperconverged All-in-One Streaming Engine, ushering in new age for distributed database
by: antdb | last post by:
Ⅰ. Advantage of AntDB: hyper-convergence + streaming processing engine In the overall architecture, a new "hyper-convergence" concept was...
General
0
How to layout php header location with a variable as the location?
by: Matthew3360 | last post by:
Hi there. I have been struggling to find out how to use a variable as my location in my header redirect function. Here is my code. ...
PHP
0
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computer
by: AndyPSV | last post by:
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computerHOW CAN I CREATE AN AI with an .executable...
General
0
How do I view Redshift db tables in Alteryx
by: Arjunsri | last post by:
I have a Redshift database that I need to use as an import data source. I have configured the DSN connection using the server, port, database, and...
General
0
hi
by: WisdomUfot | last post by:
It's an interesting question you've got about how Gmail hides the HTTP referrer when a link in an email is clicked. While I don't have the specific...
General
0
PHP Curl Not wanting to connect to localhost.
by: Matthew3360 | last post by:
Hi, I have been trying to connect to a local host using php curl. But I am finding it hard to do this. I am doing the curl get request from my web...
PHP
0
One of the easiest ways to set the background color of Excel documents in Java
by: Carina712 | last post by:
Setting background colors for Excel documents can help to improve the visual appeal of the document and make it easier to read and understand....
General
0
BLUEPANDA
Join our open community on Discord to learn programming, SEO, and marketing
by: BLUEPANDA | last post by:
At BluePanda Dev, we're passionate about building high-quality software and sharing our knowledge with the community. That's why we've created a SaaS...
General
0
Mastering Python: A Versatile Programming Language for All
by: Rahul1995seven | last post by:
Introduction: In the realm of programming languages, Python has emerged as a powerhouse. With its simplicity, versatility, and robustness, Python...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2023
About Bytes
Advertise
Terms Of Use
Privacy Policy

Sitemap

Follow us! Get the Latest Bytes Updates