What is the real IP address of the site visitor?

Discussion in 'ASP General' started by Toni, Jun 10, 2009.

  1. Toni

    Toni Guest

    With available variables such as

    Request.ServerVariables("REMOTE_ADDR")
    Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    Request.ServerVariables("HTTP_VIA")

    Can anyone tell me, how do I get the visitor's REAL IP address?
     
    Toni, Jun 10, 2009
    #1
    1. Advertising

  2. Toni

    Bob Barrows Guest

    Toni wrote:
    > With available variables such as
    >
    > Request.ServerVariables("REMOTE_ADDR")
    > Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    > Request.ServerVariables("HTTP_VIA")
    >
    > Can anyone tell me, how do I get the visitor's REAL IP address?


    Reliably? you probably can't. There is nothing that forces the browser to
    supply such information.

    --
    Microsoft MVP - ASP/ASP.NET - 2004-2007
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows, Jun 11, 2009
    #2
    1. Advertising

  3. Toni

    Adrienne Guest

    Gazing into my crystal ball I observed Bob Barrows writing in
    <>:

    > Toni wrote:
    >> With available variables such as
    >>
    >> Request.ServerVariables("REMOTE_ADDR")
    >> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    >> Request.ServerVariables("HTTP_VIA")
    >>
    >> Can anyone tell me, how do I get the visitor's REAL IP address?

    >
    > Reliably? you probably can't. There is nothing that forces the browser
    > to supply such information.




    And even if you can get the IP address, you do not know if is coming
    from someone who uses AOL or another service where everyone gets the
    same IP address. IP addresses are not that reliable - although Google is
    returning local results based on IP address.


    --
    Adrienne Boswell at Home
    Arbpen Web Site Design Services http://www.cavalcade-of-coding.info
    Please respond to the group so others can share
     
    Adrienne, Jun 11, 2009
    #3
  4. Toni

    Tim Slattery Guest

    "Bob Barrows" <> wrote:

    >Toni wrote:
    >> With available variables such as
    >>
    >> Request.ServerVariables("REMOTE_ADDR")
    >> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    >> Request.ServerVariables("HTTP_VIA")
    >>
    >> Can anyone tell me, how do I get the visitor's REAL IP address?

    >
    >Reliably? you probably can't. There is nothing that forces the browser to
    >supply such information.


    There has to be SOME address for the web server to send its response
    to, which is REMOTE_ADDR. That may well be the address of an NAT
    router, which is servicing several computers which have non-routable
    addresses known only to that router. If that's the case, there's no
    way you can get it, and it wouldn't be meaningful anyway.

    Also, many (most?) ISPs use dynamic IP addresses, so a particular
    address may be assigned to different people at different times.

    --
    Tim Slattery
    MS MVP(Shell/User)

    http://members.cox.net/slatteryt
     
    Tim Slattery, Jun 11, 2009
    #4
  5. Toni

    Toni Guest

    "Bob Barrows" wrote...
    > Toni wrote:
    >> With available variables such as
    >>
    >> Request.ServerVariables("REMOTE_ADDR")
    >> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    >> Request.ServerVariables("HTTP_VIA")
    >>
    >> Can anyone tell me, how do I get the visitor's REAL IP address?

    >
    > Reliably? you probably can't. There is nothing that forces the browser to supply such
    > information.


    Then, what is the BEST way to get the user's IP address?
     
    Toni, Jun 15, 2009
    #5
  6. Toni

    Bob Barrows Guest

    Toni wrote:
    > "Bob Barrows" wrote...
    >> Toni wrote:
    >>> With available variables such as
    >>>
    >>> Request.ServerVariables("REMOTE_ADDR")
    >>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    >>> Request.ServerVariables("HTTP_VIA")
    >>>
    >>> Can anyone tell me, how do I get the visitor's REAL IP address?

    >>
    >> Reliably? you probably can't. There is nothing that forces the
    >> browser to supply such information.

    >
    > Then, what is the BEST way to get the user's IP address?


    a) Ask him. The biggest drawback to this approach is the user might not know
    what what you mean by "real" ip address and even if he does, he might not
    know his ip address.

    b) Persuade him to let you install an ActiveX control on his machine to
    provide the address via WMI.

    c) You might be able to run a batch command or access WMI using an HTML
    application (.hta)

    I've no experience doing any of these so someone else will have to continue
    help ing you here if any of these are possible.

    I used to see a piece of javascript that purported to return the user's ip
    address, but I have no idea how reliable that really was. Hmm, I've done a
    google search and all the scripts I've found use the REMOTE_ADDR
    servervariable which you cited above. So we're back to square one. That
    variable will _sometime_ contain the user's real ip address. Other times, it
    won't. Sorry.


    --
    Microsoft MVP - ASP/ASP.NET - 2004-2007
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"
     
    Bob Barrows, Jun 15, 2009
    #6
  7. Toni

    Adrienne Guest

    Gazing into my crystal ball I observed Toni writing in
    <>:

    > With available variables such as
    >
    > Request.ServerVariables("REMOTE_ADDR")
    > Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    > Request.ServerVariables("HTTP_VIA")
    >
    > Can anyone tell me, how do I get the visitor's REAL IP address?


    As others have said, there is no reliable way to get the real ip address,
    especially if the users are using a service like AOL.

    The question is, why do you need the user's real IP address? What do you
    really need to do?


    --
    Adrienne Boswell at Home
    Arbpen Web Site Design Services
    http://www.cavalcade-of-coding.info
    Please respond to the group so others can share
     
    Adrienne, Jun 15, 2009
    #7
  8. Toni

    Toni Guest

    "Bob Barrows" wrote...
    > Toni wrote:
    >> "Bob Barrows" wrote...
    >>> Toni wrote:
    >>>> With available variables such as
    >>>>
    >>>> Request.ServerVariables("REMOTE_ADDR")
    >>>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    >>>> Request.ServerVariables("HTTP_VIA")
    >>>>
    >>>> Can anyone tell me, how do I get the visitor's REAL IP address?
    >>>
    >>> Reliably? you probably can't. There is nothing that forces the
    >>> browser to supply such information.

    >>
    >> Then, what is the BEST way to get the user's IP address?

    >
    > a) Ask him. The biggest drawback to this approach is the user might not know what what
    > you mean by "real" ip address and even if he does, he might not know his ip address.


    Yeah. Sure.


    >
    > b) Persuade him to let you install an ActiveX control on his machine to provide the
    > address via WMI.


    Not an option.

    >
    > c) You might be able to run a batch command or access WMI using an HTML application
    > (.hta)
    >
    > I've no experience doing any of these so someone else will have to continue help ing
    > you here if any of these are possible.
    >
    > I used to see a piece of javascript that purported to return the user's ip address,
    > but I have no idea how reliable that really was. Hmm, I've done a google search and
    > all the scripts I've found use the REMOTE_ADDR servervariable which you cited above.
    > So we're back to square one. That variable will _sometime_ contain the user's real ip
    > address. Other times, it won't. Sorry.


    I've got a piece of javascript that returns the MAC address of the user's Ethernet
    address. It's intrusive as hell, but it works.

    Presently, I check HTTP_X_FORWARDED_FOR and if it's not null, I pull the first IP
    address in the list. If it is null, I use REMOTE_ADDR. I find that this works 90% of the
    time. I was just curious if anyone had more experience than me with this. I guess not.
     
    Toni, Jun 15, 2009
    #8
  9. Toni

    Toni Guest

    "Adrienne" wrote...
    > Gazing into my crystal ball I observed Toni writing
    >
    >> With available variables such as
    >>
    >> Request.ServerVariables("REMOTE_ADDR")
    >> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    >> Request.ServerVariables("HTTP_VIA")
    >>
    >> Can anyone tell me, how do I get the visitor's REAL IP address?

    >
    > As others have said, there is no reliable way to get the real ip address,
    > especially if the users are using a service like AOL.


    Not true. See my other post.

    > The question is, why do you need the user's real IP address? What do you
    > really need to do?


    The reasons are endless!
     
    Toni, Jun 15, 2009
    #9
  10. Toni wrote on Sun, 14 Jun 2009 22:34:02 -0400:

    > "Adrienne" wrote...
    >> Gazing into my crystal ball I observed Toni writing


    >>> With available variables such as


    >>> Request.ServerVariables("REMOTE_ADDR")
    >>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    >>> Request.ServerVariables("HTTP_VIA")


    >>> Can anyone tell me, how do I get the visitor's REAL IP address?


    >> As others have said, there is no reliable way to get the real ip
    >> address, especially if the users are using a service like AOL.


    > Not true. See my other post.


    >> The question is, why do you need the user's real IP address? What do
    >> you really need to do?


    > The reasons are endless!


    Really? What use is the internal IP address of a visitor where they are
    using a non-routable address behind a NAT device?

    Generally I find it's enough to use REMOTE_ADDR for my own sites, as this is
    the address the user's connection is currently being routed from. I
    sometimes will also check the following:

    HTTP_X_FORWARDED_FOR
    HTTP_CLIENT_IP
    HTTP_X_FORWARD_FOR
    HTTP_FORWARD_FOR
    HTTP_X_FORWARD
    HTTP_VIA

    But I don't just use these blindly - I will use both the REMOTE_ADDR and any
    found above that are not IANA non-routable addresses for checking against
    various tables (such as IP blacklists and country lookups). I certainly
    wouldn't say that the information from these is better than REMOTE_ADDR in
    99% of cases, and in many cases may well cause problems - for instance, you
    blacklist an address such as 192.168.1.1 and then find that a large
    proportion of your visitor base is blocked from access.

    What do you consider the real IP address to be? The one currently assigned
    to the visitors PC? The one assigned to their router/modem? The one assigned
    to their NAT device/proxy? All of these are "real", depending on how the
    visitor's connection is configured, but generally only the router/modem and
    NAT (if there is one) are of any use to you.

    --
    Dan
     
    Daniel Crichton, Jun 15, 2009
    #10
  11. Toni

    Toni Guest

    "Daniel Crichton" wrote...
    > Toni wrote on Sun, 14 Jun 2009 22:34:02 -0400:
    >
    >> "Adrienne" wrote...
    > >> Gazing into my crystal ball I observed Toni writing

    >
    > >>> With available variables such as

    >
    > >>> Request.ServerVariables("REMOTE_ADDR")
    > >>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    > >>> Request.ServerVariables("HTTP_VIA")

    >
    > >>> Can anyone tell me, how do I get the visitor's REAL IP address?

    >
    > >> As others have said, there is no reliable way to get the real ip
    > >> address, especially if the users are using a service like AOL.

    >
    >> Not true. See my other post.

    >
    > >> The question is, why do you need the user's real IP address? What do
    > >> you really need to do?

    >
    >> The reasons are endless!

    >
    > Really? What use is the internal IP address of a visitor where they are using a
    > non-routable address behind a NAT device?
    >
    > Generally I find it's enough to use REMOTE_ADDR for my own sites, as this is the
    > address the user's connection is currently being routed from. I sometimes will also
    > check the following:
    >
    > HTTP_X_FORWARDED_FOR
    > HTTP_CLIENT_IP
    > HTTP_X_FORWARD_FOR
    > HTTP_FORWARD_FOR
    > HTTP_X_FORWARD
    > HTTP_VIA


    THANK YOU for this list - it is what I was looking for - I am going to start logging
    this information so I can look for patterns.

    >
    > But I don't just use these blindly - I will use both the REMOTE_ADDR and any found
    > above that are not IANA non-routable addresses for checking against various tables
    > (such as IP blacklists and country lookups). I certainly wouldn't say that the
    > information from these is better than REMOTE_ADDR in 99% of cases, and in many cases
    > may well cause problems - for instance, you blacklist an address such as 192.168.1.1
    > and then find that a large proportion of your visitor base is blocked from access.
    >
    > What do you consider the real IP address to be? The one currently assigned to the
    > visitors PC? The one assigned to their router/modem? The one assigned to their NAT
    > device/proxy? All of these are "real", depending on how the visitor's connection is
    > configured, but generally only the router/modem and NAT (if there is one) are of any
    > use to you.
    >
    > --
    > Dan


    To get back to your original post: AOL dialup has gone the way of the dinosaur, it is
    non-existent. As far as AOL broadband, I can speak to a membership site I have with
    thousands of users and none are from AOL.

    Second, the IP address that is as close to the visitor as possible, is the one I want.
    I need to uniquely identify certain visitors, partly to discover their country of
    origin. I do a reverse DNS to identify them and the COMPANY they are from. One example
    is I'm working with a very large company to put information on the web that is only
    accessible to their employees. I need to uniquely identify their employees, and I can
    partially do this via the companies registered range of IP addresses. (Their IT
    department is totally uncooperative - they consider themselves "keepers of the secrets"
    and refuse to discuss how their network works, even with corporate execs, which is one
    reason why I've been contracted to do this)

    Daniel, thank you for the thoroughness of your answer - it is clear to me that you
    understand the subject. I've learned a lot.
     
    Toni, Jun 15, 2009
    #11
  12. Toni

    Bob Barrows Guest

    Toni wrote:
    > To get back to your original post: AOL dialup has gone the way of the
    > dinosaur, it is non-existent.


    No, that is not at all true. My mother-in-law still uses it. She is far
    from the only one still using it.


    --
    HTH,
    Bob Barrows
     
    Bob Barrows, Jun 15, 2009
    #12
  13. Toni wrote on Mon, 15 Jun 2009 12:19:32 -0400:

    > "Daniel Crichton" wrote...
    >> Toni wrote on Sun, 14 Jun 2009 22:34:02 -0400:


    >>> "Adrienne" wrote...
    >>>> Gazing into my crystal ball I observed Toni writing


    >>>>> With available variables such as


    >>>>> Request.ServerVariables("REMOTE_ADDR")
    >>>>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    >>>>> Request.ServerVariables("HTTP_VIA")


    >>>>> Can anyone tell me, how do I get the visitor's REAL IP address?


    >>>> As others have said, there is no reliable way to get the real ip
    >>>> address, especially if the users are using a service like AOL.


    >>> Not true. See my other post.


    >>>> The question is, why do you need the user's real IP address? What
    >>>> do you really need to do?


    >>> The reasons are endless!


    >> Really? What use is the internal IP address of a visitor where they
    >> are using a non-routable address behind a NAT device?


    >> Generally I find it's enough to use REMOTE_ADDR for my own sites, as
    >> this is the address the user's connection is currently being routed
    >> from. I sometimes will also check the following:


    >> HTTP_X_FORWARDED_FOR
    >> HTTP_CLIENT_IP
    >> HTTP_X_FORWARD_FOR
    >> HTTP_FORWARD_FOR
    >> HTTP_X_FORWARD
    >> HTTP_VIA


    > THANK YOU for this list - it is what I was looking for - I am going to
    > start logging this information so I can look for patterns.



    >> But I don't just use these blindly - I will use both the REMOTE_ADDR
    >> and any found above that are not IANA non-routable addresses for
    >> checking against various tables (such as IP blacklists and country
    >> lookups). I certainly wouldn't say that the information from these
    >> is better than REMOTE_ADDR in 99% of cases, and in many cases may
    >> well cause problems - for instance, you blacklist an address such as
    >> 192.168.1.1 and then find that a large proportion of your visitor
    >> base is blocked from access.


    >> What do you consider the real IP address to be? The one currently
    >> assigned to the visitors PC? The one assigned to their router/modem?
    >> The one assigned to their NAT device/proxy? All of these are "real",
    >> depending on how the visitor's connection is configured, but
    >> generally only the router/modem and NAT (if there is one) are of any
    >> use to you.


    >> --
    >> Dan


    > To get back to your original post: AOL dialup has gone the way of the
    > dinosaur, it is non-existent. As far as AOL broadband, I can speak to
    > a membership site I have with thousands of users and none are from
    > AOL.


    This is the first post I've made in this thread - and I never mentioned AOL
    ;)

    And I run 6 e-commerce sites, and we have loads of AOL users. Plus I have
    run a few forum sites, and there are plenty on those too.

    > Second, the IP address that is as close to the visitor as possible, is
    > the one I want. I need to uniquely identify certain visitors, partly to
    > discover their
    > country of origin. I do a reverse DNS to identify them and the COMPANY
    > they are from.


    Reverse DNS is not very efficient from a performance point of view. I use a
    Geo IP database to determine the country of origin, this is much faster than
    reverse DNS and I have it automatically updated on a daily basis.

    > One example is I'm working with a very large company to put information
    > on the web that is only accessible to their employees. I need to uniquely
    > identify their employees, and I can partially do this via the companies
    > registered range of IP addresses. (Their IT department is totally
    > uncooperative - they consider themselves "keepers of the secrets"
    > and refuse to discuss how their network works, even with corporate
    > execs, which is one reason why I've been contracted to do this)


    Personally I would suggest to that IT department that they consider the use
    of client side certificates, or a VLAN where the access can be controlled
    much more closely. Relying on IP addresses alone is often the start of a
    recipe for disaster. I'm assuming that you're also using client login
    credentials on this site, and using NTLM/Kerberos as opposed to Basic auth,
    along with SSL to help prevent sniffing login credentials over the wire?

    > Daniel, thank you for the thoroughness of your answer - it is clear to
    > me that you understand the subject. I've learned a lot.


    Glad to hear I could help. I've spent 14 years building e-commerce sites for
    the company I work for, and the past 4 years running my own forum sites, and
    I've picked up a lot in that time. The IP tracking I do is mostly for the
    e-commerce systems to help identify country of origin as part of the fraud
    checks on ordering, and also to flag up potential known fraudsters - I don't
    block just on the IP address, but flagging orders for further manual checks
    goes a long way to helping combat fraud.

    --
    Dan
     
    Daniel Crichton, Jun 16, 2009
    #13
  14. Toni

    Toni Guest

    "Daniel Crichton" wrote...
    :
    > Glad to hear I could help. I've spent 14 years building e-commerce sites for the
    > company I work for, and the past 4 years running my own forum sites, and I've picked
    > up a lot in that time. The IP tracking I do is mostly for the e-commerce systems to
    > help identify country of origin as part of the fraud checks on ordering, and also to
    > flag up potential known fraudsters - I don't block just on the IP address, but
    > flagging orders for further manual checks goes a long way to helping combat fraud.


    This is the other project I'm also doing, which is preventing fraud. I'll sometimes get
    emails from my site notifying me that someone is attempting to do things they are not
    supposed to do, and so I'll set a block on their IP address.
     
    Toni, Jun 19, 2009
    #14
  15. Toni

    Evertjan. Guest

    Toni wrote on 19 jun 2009 in microsoft.public.inetserver.asp.general:
    > This is the other project I'm also doing, which is preventing fraud.
    > I'll sometimes get emails from my site notifying me that someone is
    > attempting to do things they are not supposed to do, and so I'll set a
    > block on their IP address.


    ... which shows you are not aware,

    that "professional" hackers use another ip every attempt, and even within
    an attempt often switch ip.

    that you could block many many other and honest users of that ip address,
    like for instance mobile users via G3/umts like connections, hotspot
    connections, etc.

    that the best way to prevent intrusion is continual analyzing and reparing
    weak spots in your website.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Jun 20, 2009
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shige
    Replies:
    1
    Views:
    834
    Munsifali Rashid
    Jan 13, 2004
  2. brett

    Getting IP address of visitor?

    brett, Nov 7, 2006, in forum: ASP .Net
    Replies:
    9
    Views:
    857
    Mark Rae
    Nov 7, 2006
  3. bushi
    Replies:
    13
    Views:
    1,597
    Juan T. Llibre
    Apr 22, 2007
  4. PP

    Visitor IP Address

    PP, Jan 6, 2010, in forum: ASP .Net
    Replies:
    1
    Views:
    401
    bruce barker
    Jan 6, 2010
  5. Morris Neuman

    Visitor's IP Address

    Morris Neuman, Jun 30, 2009, in forum: ASP .Net Web Controls
    Replies:
    4
    Views:
    828
    Morris Neuman
    Jul 2, 2009
Loading...

Share This Page