I have a web form that needs to act differently if the request to that form came from an internal network address or from a public IP address. I'm trying within my web form to determine if the request is from an internal network IP. Can I reliably do this, or can clients fake their source IP? Can I trust the information contained in Request.UserHostAddress?
views:
48answers:
2
+1
A:
No, you can't unfortunately. It's pretty trivial to construct an HTTP request with spoofed headers.
womp
2009-12-02 19:55:08
+1
A:
IP Spoofing is basically possible: Wikipedia but has limited use (as far as I understand, it is very hard to actually pull any data that way)
Best thing would of course be to route/restrict traffic on firewall or proxy level (establish a rule that allows local traffic only going to your site) to create maximum security.
Pekka
2009-12-02 19:55:47
Your suggestion would be ideal, except that (if I understand your meaning properly) as impled in the OP the website must accept public requests, as it is a public website.
Matt Hamsmith
2009-12-02 21:26:17