tags:

views:

247

answers:

2
+1  Q: 

Reliably getting a web client IP

What is the most reliable way of obtaining the IP address of a remote client connecting to your website? Some options I've looked into are:

  • Server variables (such as REMOTE_ADDR in Apache), though this is usually the proxy address.
  • A Java applet, but IE (at least the one I'm using) seems to deny it.

The only other thing I'm thinking about is having the client connect over HTTPS, in which case the proxy should be bypassed (generally speaking), and so REMOTE_ADDR would be accurate.

Any ideas?

+1  A: 

Anything client-side (javascript, java) will give you the PCs IP address. Which could be an internal IP address like 10.0.0.1.

Re: SSL + REMOTE_ADDR, most workplace proxies send all the SSL through an application level proxy, SOME just allow 443 outbound. Any thing coming thru a proxy will still give you the proxy address, as the proxy is still the computer making the connection to your webserver.

russau  2009-07-22 04:54:07
You mention Javascript as an example, but you cannot obtain the local IP using Javascript. Otherwise it would be possible to get the IP with Javascript and AJAX it back to the server.
Steve M  2009-07-22 05:40:24
I remember something about Tor leaking IP addresses via Javascript. Very likely I remembered that wrong.
russau  2009-07-22 06:00:18
No that's only if the page refreshes or waits until after Tor is disabled. Javascript is not able to fetch the local IP.
Steve M  2009-07-27 03:26:24
+1  A: 

HTTPS through a proxy is still a possibility, if the proxy is non-transparent (say, with a client on a corporate network). With HTTPS through a proxy, the REMOTE_ADDR will still be the proxy address - the proxy is still in the path, it just only gets to see the encrypted traffic.

If the client is going through a proxy, you'll have to rely on the proxy telling you their IP. The X-Forwarded-For header will contain this, but you can only really rely on this if you trust the proxy. If this is for logging purposes, log both REMOTE_ADDR and X-Forwarded-For. If it's for something else, you'll need to maintain a whitelist of proxies (as determined by REMOTE_ADDR) that you'll accept X-Forwarded-For from.

caf  2009-07-22 04:56:45

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?