469,326 Members | 1,351 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,326 developers. It's quick & easy.

HTTP_X_FORWARDED_FOR ?

Is there any official documentation on Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Googling I've found everyone repeating the same information - claiming that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?

Thanks,

Vic


Sep 6 '06 #1
3 33533

"Victor" <vi*@vic.comwrote in message
news:u3**************@TK2MSFTNGP02.phx.gbl...
Is there any official documentation on
Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>
Googling I've found everyone repeating the same information - claiming
that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and
that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes
HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP
addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire
string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through
the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?
The x-forwarded-for header is not a standard http header (hence the x-
prefix). It is an attempt by the big proxy server vendors to help ISPs
identify and block abusive IP addresses.

If there are two proxy servers between the client and your server you will
see two IP addresses in the x-forwarded-for header, the clients and one of
the proxy servers. As the requests moves through a proxy server the IP
address of requester is append to the x-forwarded-for header. Hence the
first IP address will be the original client IP and there can be any number
of IP addresses depending on how many proxy servers it passes through.

Anthony.
Thanks,

Vic


Sep 7 '06 #2
"Anthony Jones" wrote...
>
"Victor" wrote...
Is there any official documentation on
Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Googling I've found everyone repeating the same information - claiming that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and
that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes
HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP
addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire
string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through
the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?

The x-forwarded-for header is not a standard http header (hence the x-
prefix). It is an attempt by the big proxy server vendors to help ISPs
identify and block abusive IP addresses.

If there are two proxy servers between the client and your server you will
see two IP addresses in the x-forwarded-for header, the clients and one of
the proxy servers. As the requests moves through a proxy server the IP
address of requester is append to the x-forwarded-for header. Hence the
first IP address will be the original client IP and there can be any number
of IP addresses depending on how many proxy servers it passes through.

Anthony.
Ah! So, if Request.ServerVariables("HTTP_X_FORWARDED_FOR") is not empty, and if it
contains a comma seperated list of IP addresses, then the very first IP address is the
user's real IP address? So, in my original example:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

the user's IP address is definitely IPaddress1?

Since it is not a standard, is there a draft document I can reference?

Thanks,

Vic

Sep 8 '06 #3
Victor wrote:
HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

the user's IP address is definitely IPaddress1?
No. It *might* be, but there is no reason to assume so. That header is
easily spoofed, for one thing. for another, this content differs by proxy
type:

http://www.usemod.com/cgi-bin/mb.pl?AnonymousProxy

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Sep 8 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

21 posts views Thread by deko | last post: by
3 posts views Thread by StinkFinger | last post: by
7 posts views Thread by varungupta | last post: by
2 posts views Thread by Steven Paul | last post: by
7 posts views Thread by Lad | last post: by
6 posts views Thread by Bob Bedford | last post: by
7 posts views Thread by Brian Cryer | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by harlem98 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.