Geek asks and answers

Security Implications of Request.ServerVariables ("REMOTE_ADDR") and Request.ServerVariables ("HTTP_X_FORWARDED_FOR")

Say we track the end user IP address for a web service:

ip = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If ip = "" Then
    ip = Request.ServerVariables("REMOTE_ADDR")
End If

I read that this is the best way to get the IP address of the end user, since it works even for users on a transparent proxy.

If we use the end user's IP address to filter out malicious users, are there any security implications for the above method, and not, say, just using Request.ServerVariables ("REMOTE_ADDR")?

For example, if we blocked an attacker by the IP address of the end user, could they easily change their IP address through a proxy server and continue using our web service?

Thanks in advance for your help.

+3
source share
2 answers

REMOTE_ADDRcreated by the web server based on the connection to the client. HTTP_X_FORWARDED_FORbased on the HTTP header sent by the client.

You cannot trust inputs from the client, especially inputs that are easily falsified, such as HTTP headers. Customers can insert everything into the header HTTP_X_FORWARDED_FOR.

+9
source

If users use a transparent proxy, then the above code will get a real IP address. If they use an anonymous proxy, though (for example, Anonymizer), then there really is no way to get the actual IP address of users.

0
source

More articles:


All Articles