Is there a way to find IP address?

Lad wrote:

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

os.environ["HTTP_X_FORWARDED_FOR"]

(but that can easily be spoofed, and is mostly meaningless if the user
uses local IP addresses at the other side of the proxy, so you should
use it with care)

</F>

Fredrik Lundh wrote:

Lad wrote:

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

os.environ["HTTP_X_FORWARDED_FOR"]

(but that can easily be spoofed, and is mostly meaningless if the user
uses local IP addresses at the other side of the proxy, so you should
use it with care)

</F>

Hello Fredrik,
Thank you for your reply.
How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
address is not possible change.
Thank you for your reply
L.

"Lad" <py****@hope.czwrote:

>
Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

Not reliably, but why would you want to? That IP address is not reachable
from your server anyway.
--
- Tim Roberts, ti**@probo.com
Providenza & Boekelheide, Inc.

On 09/15/2006 Lad wrote:

How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
address is not possible change.

Because it is a header that is added by the proxy. This header has (or
should have) no role in the proces of relaying the request by the proxy.
It is just politely added by the proxy to make it possible to identify
for who the request is forwarded. So the proxy might add anything it
likes, or nothing at all if it is an anonymizing proxy.

Winfried

"Lad" <py****@hope.czwrote:

>Fredrik Lundh wrote:

>Lad wrote:

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

os.environ["HTTP_X_FORWARDED_FOR"]

(but that can easily be spoofed, and is mostly meaningless if the user
uses local IP addresses at the other side of the proxy, so you should
use it with care)

Hello Fredrik,
Thank you for your reply.
How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
address is not possible change.

No, but HTTP headers are just text. A client can put whatever it wants in
them.
--
- Tim Roberts, ti**@probo.com
Providenza & Boekelheide, Inc.

>Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .

>If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

os.environ["HTTP_X_FORWARDED_FOR"]

(but that can easily be spoofed, and is mostly meaningless if the user
uses local IP addresses at the other side of the proxy, so you should
use it with care)

Yep, you should only use "HTTP_X_FORWARDED_FOR" if you trust the proxy and
you check that the request is indeed coming from it
(if environ["REMOTE_ADDR"] in proxy_list).
--
damjan

Normaly I can log user's IP address using os.environ["REMOTE_ADDR"] .
If a user is behind a proxy, I will log proxy's IP address only.
Is there a way how to find a real IP user's address?

os.environ["HTTP_X_FORWARDED_FOR"]

(but that can easily be spoofed, and is mostly meaningless if the user
uses local IP addresses at the other side of the proxy, so you should
use it with care)

How can be HTTP_X_FORWARDED_FOR easily spoofed? I thought that IP
address is not possible change.

I can setup my browser to always send you a fake HTTP_X_FORWARDED_FOR
header.

--
damjan