B2B authorization/authentication with IP and username/password

Discussion in 'ASP General' started by c676228, Feb 18, 2009.

  1. c676228

    c676228 Guest

    Hi all,

    When sending data for our server to process(via request and response B2B),
    One of our clients wants us to implement a combination of IP address and
    username/password to guarantee that no other entity can call the API to
    imperosnate the client. I am wondering why this needs to be restricted since
    nobody will give sales credits to somebody else.

    If there are many good reasons to do so, what is the easiest/good way to
    implement it?
    --
    Betty
    c676228, Feb 18, 2009
    #1
    1. Advertising

  2. c676228

    Steven Cheng Guest

    Hi Betty,

    From your description, you're encountering a problem with implemeting a
    username/password + IP authentication component for your client application
    which will communicate with a B2B server ,correct?

    Based on my experience, there are some public standard authentication
    schemas that are used in many distributed comunication components such as
    WCF, webservice. I'm not sure whether the authentication schema you
    mentioned is one of them. Is it possible for your service side to provide
    some more information about the authention schema?

    If there is anything I've omited , please feel free to let me know.

    Regards,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    --------------------
    >Thread-Topic: B2B authorization/authentication with IP and

    username/password
    >thread-index: AcmSGfnJvegIFSc6SgqFi9Mcxillfw==
    >X-WBNR-Posting-Host: 207.46.19.168
    >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    >Subject: B2B authorization/authentication with IP and username/password
    >Date: Wed, 18 Feb 2009 14:41:01 -0800
    >Lines: 12


    >Hi all,
    >
    >When sending data for our server to process(via request and response B2B),
    >One of our clients wants us to implement a combination of IP address and
    >username/password to guarantee that no other entity can call the API to
    >imperosnate the client. I am wondering why this needs to be restricted

    since
    >nobody will give sales credits to somebody else.
    >
    >If there are many good reasons to do so, what is the easiest/good way to
    >implement it?
    >--
    >Betty
    >
    Steven Cheng, Feb 19, 2009
    #2
    1. Advertising

  3. c676228

    c676228 Guest

    Hi Steve,

    I like the way that you always confirm the question before you answser my
    questions.

    First of all, my B2B application is very simple. I usually call it a
    simplified B2B application. It doesn't use asp.net, it is classic asp. Second
    it doesn't use SOAP. It is just a simple request/response web application(The
    request/response data are in XML format, transported via https). Third it
    doesn't interact various
    platform and it doesn't have any authentication schema. In this case, I
    don't know what authentication schema I should use or if it is feasible or
    not?
    Our client sends us a data file(customers' purchase data) in XML format and
    our web application just processes the credit card/data and delivers the
    confirmation.

    WCF/Webservice might be too complicated for this small application?
    Is there any other simplified authentication implementation?


    --
    Betty


    ""Steven Cheng"" wrote:

    > Hi Betty,
    >
    > From your description, you're encountering a problem with implemeting a
    > username/password + IP authentication component for your client application
    > which will communicate with a B2B server ,correct?
    >
    > Based on my experience, there are some public standard authentication
    > schemas that are used in many distributed comunication components such as
    > WCF, webservice. I'm not sure whether the authentication schema you
    > mentioned is one of them. Is it possible for your service side to provide
    > some more information about the authention schema?
    >
    > If there is anything I've omited , please feel free to let me know.
    >
    > Regards,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >
    > --------------------
    > >Thread-Topic: B2B authorization/authentication with IP and

    > username/password
    > >thread-index: AcmSGfnJvegIFSc6SgqFi9Mcxillfw==
    > >X-WBNR-Posting-Host: 207.46.19.168
    > >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    > >Subject: B2B authorization/authentication with IP and username/password
    > >Date: Wed, 18 Feb 2009 14:41:01 -0800
    > >Lines: 12

    >
    > >Hi all,
    > >
    > >When sending data for our server to process(via request and response B2B),
    > >One of our clients wants us to implement a combination of IP address and
    > >username/password to guarantee that no other entity can call the API to
    > >imperosnate the client. I am wondering why this needs to be restricted

    > since
    > >nobody will give sales credits to somebody else.
    > >
    > >If there are many good reasons to do so, what is the easiest/good way to
    > >implement it?
    > >--
    > >Betty
    > >

    >
    >
    c676228, Feb 19, 2009
    #3
  4. c676228

    Steven Cheng Guest

    Thanks for your reply Betty,

    Well, so based on your further description, I think so far there is no hard
    requirement on the authentication schema and your application is just a
    service which will accept some input(may contain credit card and some other
    data) from client consumers over http.

    As you mentioned that https protocol will be used, is it used for all the
    convesation between the client and your service(those involve sensitive
    data transfer). If so, I think using https/ssl transport layer protection
    is enough and you can just define a custom XML format for the
    authentication info. For example, you can let the client consumer supply
    the username/password info as part of the entire http message.e.g.

    ===========
    <Message>
    ....other data

    <authentication>
    <username>....</username>
    <password>...</password>
    .....
    =============

    and you just rely on the HTTPS transport layer to help provide the message
    security. Is there any other concerns on this?

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    --------------------
    >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    >References: <>

    <>
    >Subject: RE: B2B authorization/authentication with IP and username/password
    >Date: Thu, 19 Feb 2009 09:23:04 -0800


    >
    >Hi Steve,
    >
    >I like the way that you always confirm the question before you answser my
    >questions.
    >
    >First of all, my B2B application is very simple. I usually call it a
    >simplified B2B application. It doesn't use asp.net, it is classic asp.

    Second
    >it doesn't use SOAP. It is just a simple request/response web

    application(The
    >request/response data are in XML format, transported via https). Third it
    >doesn't interact various
    >platform and it doesn't have any authentication schema. In this case, I
    >don't know what authentication schema I should use or if it is feasible or
    >not?
    >Our client sends us a data file(customers' purchase data) in XML format

    and
    >our web application just processes the credit card/data and delivers the
    >confirmation.
    >
    >WCF/Webservice might be too complicated for this small application?
    >Is there any other simplified authentication implementation?
    >
    >
    >--
    >Betty
    >
    >
    >""Steven Cheng"" wrote:
    >
    >> Hi Betty,
    >>
    >> From your description, you're encountering a problem with implemeting a
    >> username/password + IP authentication component for your client

    application
    >> which will communicate with a B2B server ,correct?
    >>
    >> Based on my experience, there are some public standard authentication
    >> schemas that are used in many distributed comunication components such

    as
    >> WCF, webservice. I'm not sure whether the authentication schema you
    >> mentioned is one of them. Is it possible for your service side to

    provide
    >> some more information about the authention schema?
    >>
    >> If there is anything I've omited , please feel free to let me know.
    >>
    >> Regards,
    >>
    >> Steven Cheng
    >>
    >> Microsoft MSDN Online Support Lead
    >>
    >>
    >> Delighting our customers is our #1 priority. We welcome your comments

    and
    >> suggestions about how we can improve the support we provide to you.

    Please
    >> feel free to let my manager know what you think of the level of service
    >> provided. You can send feedback directly to my manager at:
    >> .
    >>
    >> ==================================================
    >> Get notification to my posts through email? Please refer to
    >>

    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >>
    >> --------------------
    >> >Thread-Topic: B2B authorization/authentication with IP and

    >> username/password
    >> >thread-index: AcmSGfnJvegIFSc6SgqFi9Mcxillfw==
    >> >X-WBNR-Posting-Host: 207.46.19.168
    >> >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    >> >Subject: B2B authorization/authentication with IP and username/password
    >> >Date: Wed, 18 Feb 2009 14:41:01 -0800
    >> >Lines: 12

    >>
    >> >Hi all,
    >> >
    >> >When sending data for our server to process(via request and response

    B2B),
    >> >One of our clients wants us to implement a combination of IP address

    and
    >> >username/password to guarantee that no other entity can call the API to
    >> >imperosnate the client. I am wondering why this needs to be restricted

    >> since
    >> >nobody will give sales credits to somebody else.
    >> >
    >> >If there are many good reasons to do so, what is the easiest/good way

    to
    >> >implement it?
    >> >--
    >> >Betty
    >> >

    >>
    >>

    >
    Steven Cheng, Feb 20, 2009
    #4
  5. c676228

    c676228 Guest

    Steve,

    Thanks.
    that's the way I am thinking too. but I also want to check the IP from our
    client,(not visitors/users' IPs) who makes the request(submit the data). But
    I am not sure the code:

    Request.ServerVariables("REMOTE_ADDR")

    is returning client's IP address or the visitor's IP.

    Assuming our client has a static IP and I want to get this IP everytime a
    request is made. If it is the IP we expected, then our server processes it.
    Sounds like a possible solution?
    --
    Betty


    ""Steven Cheng"" wrote:

    > Thanks for your reply Betty,
    >
    > Well, so based on your further description, I think so far there is no hard
    > requirement on the authentication schema and your application is just a
    > service which will accept some input(may contain credit card and some other
    > data) from client consumers over http.
    >
    > As you mentioned that https protocol will be used, is it used for all the
    > convesation between the client and your service(those involve sensitive
    > data transfer). If so, I think using https/ssl transport layer protection
    > is enough and you can just define a custom XML format for the
    > authentication info. For example, you can let the client consumer supply
    > the username/password info as part of the entire http message.e.g.
    >
    > ===========
    > <Message>
    > ....other data
    >
    > <authentication>
    > <username>....</username>
    > <password>...</password>
    > .....
    > =============
    >
    > and you just rely on the HTTPS transport layer to help provide the message
    > security. Is there any other concerns on this?
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >
    > --------------------
    > >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    > >References: <>

    > <>
    > >Subject: RE: B2B authorization/authentication with IP and username/password
    > >Date: Thu, 19 Feb 2009 09:23:04 -0800

    >
    > >
    > >Hi Steve,
    > >
    > >I like the way that you always confirm the question before you answser my
    > >questions.
    > >
    > >First of all, my B2B application is very simple. I usually call it a
    > >simplified B2B application. It doesn't use asp.net, it is classic asp.

    > Second
    > >it doesn't use SOAP. It is just a simple request/response web

    > application(The
    > >request/response data are in XML format, transported via https). Third it
    > >doesn't interact various
    > >platform and it doesn't have any authentication schema. In this case, I
    > >don't know what authentication schema I should use or if it is feasible or
    > >not?
    > >Our client sends us a data file(customers' purchase data) in XML format

    > and
    > >our web application just processes the credit card/data and delivers the
    > >confirmation.
    > >
    > >WCF/Webservice might be too complicated for this small application?
    > >Is there any other simplified authentication implementation?
    > >
    > >
    > >--
    > >Betty
    > >
    > >
    > >""Steven Cheng"" wrote:
    > >
    > >> Hi Betty,
    > >>
    > >> From your description, you're encountering a problem with implemeting a
    > >> username/password + IP authentication component for your client

    > application
    > >> which will communicate with a B2B server ,correct?
    > >>
    > >> Based on my experience, there are some public standard authentication
    > >> schemas that are used in many distributed comunication components such

    > as
    > >> WCF, webservice. I'm not sure whether the authentication schema you
    > >> mentioned is one of them. Is it possible for your service side to

    > provide
    > >> some more information about the authention schema?
    > >>
    > >> If there is anything I've omited , please feel free to let me know.
    > >>
    > >> Regards,
    > >>
    > >> Steven Cheng
    > >>
    > >> Microsoft MSDN Online Support Lead
    > >>
    > >>
    > >> Delighting our customers is our #1 priority. We welcome your comments

    > and
    > >> suggestions about how we can improve the support we provide to you.

    > Please
    > >> feel free to let my manager know what you think of the level of service
    > >> provided. You can send feedback directly to my manager at:
    > >> .
    > >>
    > >> ==================================================
    > >> Get notification to my posts through email? Please refer to
    > >>

    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    > >>
    > >> --------------------
    > >> >Thread-Topic: B2B authorization/authentication with IP and
    > >> username/password
    > >> >thread-index: AcmSGfnJvegIFSc6SgqFi9Mcxillfw==
    > >> >X-WBNR-Posting-Host: 207.46.19.168
    > >> >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    > >> >Subject: B2B authorization/authentication with IP and username/password
    > >> >Date: Wed, 18 Feb 2009 14:41:01 -0800
    > >> >Lines: 12
    > >>
    > >> >Hi all,
    > >> >
    > >> >When sending data for our server to process(via request and response

    > B2B),
    > >> >One of our clients wants us to implement a combination of IP address

    > and
    > >> >username/password to guarantee that no other entity can call the API to
    > >> >imperosnate the client. I am wondering why this needs to be restricted
    > >> since
    > >> >nobody will give sales credits to somebody else.
    > >> >
    > >> >If there are many good reasons to do so, what is the easiest/good way

    > to
    > >> >implement it?
    > >> >--
    > >> >Betty
    > >> >
    > >>
    > >>

    > >

    >
    >
    c676228, Feb 20, 2009
    #5
  6. c676228

    Steven Cheng Guest

    Thanks for your reply Betty,

    Well, as for the "Assuming our client has a static IP", do you mean that
    there is no intermediate proxy or NAT protection? If so, I think you can
    use "Request.ServerVariables("REMOTE_ADDR")" to get the client's
    machine(running the browser)'s IP. Otherwise, if there is any potential
    proxy server between the client and your server,
    "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    --------------------
    >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    >Subject: RE: B2B authorization/authentication with IP and username/password
    >Date: Fri, 20 Feb 2009 10:00:11 -0800


    >
    >Steve,
    >
    >Thanks.
    >that's the way I am thinking too. but I also want to check the IP from our
    >client,(not visitors/users' IPs) who makes the request(submit the data).

    But
    >I am not sure the code:
    >
    >Request.ServerVariables("REMOTE_ADDR")
    >
    >is returning client's IP address or the visitor's IP.
    >
    >Assuming our client has a static IP and I want to get this IP everytime a
    >request is made. If it is the IP we expected, then our server processes

    it.
    >Sounds like a possible solution?
    >--
    >Betty
    >
    >
    >""Steven Cheng"" wrote:
    >
    >> Thanks for your reply Betty,
    >>
    >> Well, so based on your further description, I think so far there is no

    hard
    >> requirement on the authentication schema and your application is just a
    >> service which will accept some input(may contain credit card and some

    other
    >> data) from client consumers over http.
    >>
    >> As you mentioned that https protocol will be used, is it used for all

    the
    >> convesation between the client and your service(those involve sensitive
    >> data transfer). If so, I think using https/ssl transport layer

    protection
    >> is enough and you can just define a custom XML format for the
    >> authentication info. For example, you can let the client consumer supply
    >> the username/password info as part of the entire http message.e.g.
    >>
    >> ===========
    >> <Message>
    >> ....other data
    >>
    >> <a
    Steven Cheng, Feb 23, 2009
    #6
  7. c676228

    c676228 Guest

    Steve,

    If "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable,
    I am not going to use it then.

    If there is a proxy or NAT protection, then there is no way I can tell
    what is our client server's IP addresses?

    Is there any other ways?

    --
    Betty


    ""Steven Cheng"" wrote:

    > Thanks for your reply Betty,
    >
    > Well, as for the "Assuming our client has a static IP", do you mean that
    > there is no intermediate proxy or NAT protection? If so, I think you can
    > use "Request.ServerVariables("REMOTE_ADDR")" to get the client's
    > machine(running the browser)'s IP. Otherwise, if there is any potential
    > proxy server between the client and your server,
    > "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >
    > --------------------
    > >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    > >Subject: RE: B2B authorization/authentication with IP and username/password
    > >Date: Fri, 20 Feb 2009 10:00:11 -0800

    >
    > >
    > >Steve,
    > >
    > >Thanks.
    > >that's the way I am thinking too. but I also want to check the IP from our
    > >client,(not visitors/users' IPs) who makes the request(submit the data).

    > But
    > >I am not sure the code:
    > >
    > >Request.ServerVariables("REMOTE_ADDR")
    > >
    > >is returning client's IP address or the visitor's IP.
    > >
    > >Assuming our client has a static IP and I want to get this IP everytime a
    > >request is made. If it is the IP we expected, then our server processes

    > it.
    > >Sounds like a possible solution?
    > >--
    > >Betty
    > >
    > >
    > >""Steven Cheng"" wrote:
    > >
    > >> Thanks for your reply Betty,
    > >>
    > >> Well, so based on your further description, I think so far there is no

    > hard
    > >> requirement on the authentication schema and your application is just a
    > >> service which will accept some input(may contain credit card and some

    > other
    > >> data) from client consumers over http.
    > >>
    > >> As you mentioned that https protocol will be used, is it used for all

    > the
    > >> convesation between the client and your service(those involve sensitive
    > >> data transfer). If so, I think using https/ssl transport layer

    > protection
    > >> is enough and you can just define a custom XML format for the
    > >> authentication info. For example, you can let the client consumer supply
    > >> the username/password info as part of the entire http message.e.g.
    > >>
    > >> ===========
    > >> <Message>
    > >> ....other data
    > >>
    > >> <a

    >
    >
    c676228, Feb 23, 2009
    #7
  8. "c676228" <> wrote in message
    news:...
    > Steve,
    >
    > If "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable,
    > I am not going to use it then.
    >
    > If there is a proxy or NAT protection, then there is no way I can tell
    > what is our client server's IP addresses?
    >
    > Is there any other ways?
    >


    To clarify, typically your client will be using a static public IP address
    to access the internet, its this IP address that is seen by your network.
    Some ISPs providing access to the internet to private individuals have
    resorted to proxy/NAT solutions so that multiple subscribers may be seen as
    a single IP address by the rest of the world but that is rare and highly
    unlikely for corporate subscribers.

    So the issue really is with your own network, if you have a reverse proxy on
    your network between your web server and your public internet access then
    your web server may see the internal IP address of the proxy rather than the
    true address of the external client.

    Hence if you do not have a reverse proxy, in all likely hood REMOTE_ADDR is
    the public IP address of your client.

    Note you can configure security by restricting access to specific IP
    addresses on the security tab of a file or directory in IIS manager so it
    may be that you needn't write code to do this.

    --
    Anthony Jones - MVP ASP/ASP.NET
    Anthony Jones, Feb 24, 2009
    #8
  9. c676228

    Steven Cheng Guest

    Thanks for your reply Betty,

    I'm afraid for http html based web application, there is no much good means
    for us to get the exact IP (reliable) of client-side. If this is very
    critical for your server application(those want to acquire some important
    or sensitive data) on client-side, the common approach is use rich client
    component(e.g. ActiveX control). That's also what all the online banking or
    ebusiness sytsem use.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    --------------------
    >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    >Subject: RE: B2B authorization/authentication with IP and username/password
    >Date: Mon, 23 Feb 2009 09:16:07 -0800


    >
    >Steve,
    >
    >If "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable,
    >I am not going to use it then.
    >
    >If there is a proxy or NAT protection, then there is no way I can tell
    >what is our client server's IP addresses?
    >
    >Is there any other ways?
    >
    >--
    >Betty
    >
    >
    >""Steven Cheng"" wrote:
    >
    >> Thanks for your reply Betty,
    >>
    >> Well, as for the "Assuming our client has a static IP", do you mean that
    >> there is no intermediate proxy or NAT protection? If so, I think you can
    >> use "Request.ServerVariables("REMOTE_ADDR")" to get the client's
    >> machine(running the browser)'s IP. Otherwise, if there is any potential
    >> proxy server between the client and your server,
    >> "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable.
    >>
    >> Sincerely,
    >>
    >> Steven Cheng
    >>
    >> Microsoft MSDN Online Support Lead
    >>
    Steven Cheng, Feb 24, 2009
    #9
  10. c676228

    c676228 Guest

    thank you so much Anthony. that's very good information.
    --
    Betty


    "Anthony Jones" wrote:

    >
    > "c676228" <> wrote in message
    > news:...
    > > Steve,
    > >
    > > If "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable,
    > > I am not going to use it then.
    > >
    > > If there is a proxy or NAT protection, then there is no way I can tell
    > > what is our client server's IP addresses?
    > >
    > > Is there any other ways?
    > >

    >
    > To clarify, typically your client will be using a static public IP address
    > to access the internet, its this IP address that is seen by your network.
    > Some ISPs providing access to the internet to private individuals have
    > resorted to proxy/NAT solutions so that multiple subscribers may be seen as
    > a single IP address by the rest of the world but that is rare and highly
    > unlikely for corporate subscribers.
    >
    > So the issue really is with your own network, if you have a reverse proxy on
    > your network between your web server and your public internet access then
    > your web server may see the internal IP address of the proxy rather than the
    > true address of the external client.
    >
    > Hence if you do not have a reverse proxy, in all likely hood REMOTE_ADDR is
    > the public IP address of your client.
    >
    > Note you can configure security by restricting access to specific IP
    > addresses on the security tab of a file or directory in IIS manager so it
    > may be that you needn't write code to do this.
    >
    > --
    > Anthony Jones - MVP ASP/ASP.NET
    >
    >
    c676228, Feb 27, 2009
    #10
  11. c676228

    c676228 Guest

    Steve,

    I will keep that in mind. Thanks for your input. I will post some other
    questions on asp.net soon. keep an eye out there. :))
    --
    Betty


    ""Steven Cheng"" wrote:

    > Thanks for your reply Betty,
    >
    > I'm afraid for http html based web application, there is no much good means
    > for us to get the exact IP (reliable) of client-side. If this is very
    > critical for your server application(those want to acquire some important
    > or sensitive data) on client-side, the common approach is use rich client
    > component(e.g. ActiveX control). That's also what all the online banking or
    > ebusiness sytsem use.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > --------------------
    > >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    > >Subject: RE: B2B authorization/authentication with IP and username/password
    > >Date: Mon, 23 Feb 2009 09:16:07 -0800

    >
    > >
    > >Steve,
    > >
    > >If "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable,
    > >I am not going to use it then.
    > >
    > >If there is a proxy or NAT protection, then there is no way I can tell
    > >what is our client server's IP addresses?
    > >
    > >Is there any other ways?
    > >
    > >--
    > >Betty
    > >
    > >
    > >""Steven Cheng"" wrote:
    > >
    > >> Thanks for your reply Betty,
    > >>
    > >> Well, as for the "Assuming our client has a static IP", do you mean that
    > >> there is no intermediate proxy or NAT protection? If so, I think you can
    > >> use "Request.ServerVariables("REMOTE_ADDR")" to get the client's
    > >> machine(running the browser)'s IP. Otherwise, if there is any potential
    > >> proxy server between the client and your server,
    > >> "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable.
    > >>
    > >> Sincerely,
    > >>
    > >> Steven Cheng
    > >>
    > >> Microsoft MSDN Online Support Lead
    > >>

    >
    >
    c676228, Feb 27, 2009
    #11
  12. c676228

    Steven Cheng Guest

    Thanks for your followup Betty,

    Have a nice day!

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead
    --------------------

    >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    >Subject: RE: B2B authorization/authentication with IP and username/password
    >Date: Fri, 27 Feb 2009 11:54:07 -0800


    >
    >Steve,
    >
    >I will keep that in mind. Thanks for your input. I will post some other
    >questions on asp.net soon. keep an eye out there. :))
    >--
    >Betty
    >
    >
    >""Steven Cheng"" wrote:
    >
    >> Thanks for your reply Betty,
    >>
    >> I'm afraid for http html based web application, there is no much good

    means
    >> for us to get the exact IP (reliable) of client-side. If this is very
    >> critical for your server application(those want to acquire some

    important
    >> or sensitive data) on client-side, the common approach is use rich

    client
    >> component(e.g. ActiveX control). That's also what all the online banking

    or
    >> ebusiness sytsem use.
    >>
    >> Sincerely,
    >>
    >> Steven Cheng
    >>
    >> Microsoft MSDN Online Support Lead
    >>
    >>
    >> Delighting our customers is our #1 priority. We welcome your comments

    and
    >> suggestions about how we can improve the support we provide to you.

    Please
    >> feel free to let my manager know what you think of the level of service
    >> provided. You can send feedback directly to my manager at:
    >> .
    >>
    >> --------------------
    >> >From: =?Utf-8?B?YzY3NjIyOA==?= <>
    >> >Subject: RE: B2B authorization/authentication with IP and

    username/password
    >> >Date: Mon, 23 Feb 2009 09:16:07 -0800

    >>
    >> >
    >> >Steve,
    >> >
    >> >If "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable,
    >> >I am not going to use it then.
    >> >
    >> >If there is a proxy or NAT protection, then there is no way I can tell
    >> >what is our client server's IP addresses?
    >> >
    >> >Is there any other ways?
    >> >
    >> >--
    >> >Betty
    >> >
    >> >
    >> >""Steven Cheng"" wrote:
    >> >
    >> >> Thanks for your reply Betty,
    >> >>
    >> >> Well, as for the "Assuming our client has a static IP", do you mean

    that
    >> >> there is no intermediate proxy or NAT protection? If so, I think you

    can
    >> >> use "Request.ServerVariables("REMOTE_ADDR")" to get the client's
    >> >> machine(running the browser)'s IP. Otherwise, if there is any

    potential
    >> >> proxy server between the client and your server,
    >> >> "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable.
    >> >>
    >> >> Sincerely,
    >> >>
    >> >> Steven Cheng
    >> >>
    >> >> Microsoft MSDN Online Support Lead
    >> >>

    >>
    >>

    >
    Steven Cheng, Mar 2, 2009
    #12
  13. On 2月19æ—¥, 上åˆ6æ—¶41分, c676228 <> wrote:
    > Hi all,
    >
    > When sending data for our server to process(via request and responseB2B),
    > One of our clients wants us to implement a combination of IP address and
    > username/password to guarantee that no other entity can call the API to
    > imperosnate the client. I am wondering why this needs to be restricted since
    > nobody will give sales credits to somebody else.
    >
    > If there are many good reasons to do so, what is the easiest/good way to
    > implement it?
    > --
    > Betty


    Pleased to serve you here,I'm the salesman No.06
    we are the sincere sport series supplier. We wholesale these
    products ,To establish business with you will be my pleasure ,so we
    also need some sincere buyer to establish longterm business.
    We have good quality and reasonable price ,we’ll try our best to doit
    best .
    We can offer the shoes you need ,please don't hesitate to visit our
    website, you'll get the shoes you want. then ,sent me the ID of these
    shoes, I'll give you the quotation asap .It will be competitivie price
    in this market ,and I'll do my best to serve you .some more
    discount ,please contact with us.

    www.nikepicking.com
    MSN :
    一刀, Mar 29, 2009
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest

    B2B application

    Guest, Nov 24, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    310
    Richard K Bethell
    Nov 24, 2003
  2. John Davis
    Replies:
    12
    Views:
    278
    Ken Schaefer
    Mar 5, 2004
  3. c676228

    B2B dolution in classical ASP

    c676228, Apr 10, 2007, in forum: ASP General
    Replies:
    9
    Views:
    206
    Steven Cheng[MSFT]
    Apr 26, 2007
  4. c676228
    Replies:
    2
    Views:
    113
    c676228
    Apr 30, 2007
  5. Michael Galvin
    Replies:
    0
    Views:
    372
    Michael Galvin
    Oct 30, 2012
Loading...

Share This Page