I read somewhere they said that HTTP_X_FORWARDED_FOR is not a trusted variables when you want to log the user's IP because they can change that. Is it real? And how?
Thanks a lot!
I read somewhere they said that HTTP_X_FORWARDED_FOR is not a trusted variables when you want to log the user's IP because they can change that. Is it real? And how?
Thanks a lot!
The proxy used can set this header to anything it wants to, and therefore you can't trust its value. Most proxies do set the correct value though. This header is mostly used by caching proxies, and in those cases you're in control of the proxy and can thus verify that is gives you the correct information. In all other cases its value should be considered untrustworthy. Read more on the Wikipedia article about X-Forwarded-For
.