What is the real IP address of the site visitor?

[Toni]

With available variables such as

Request.ServerVariables("REMOTE_ADDR")
Request.ServerVariables("HTTP_X_FORWARDED_FOR")
Request.ServerVariables("HTTP_VIA")

Can anyone tell me, how do I get the visitor's REAL IP address?

 

[Bob Barrows]

With available variables such as

Request.ServerVariables("REMOTE_ADDR")
Request.ServerVariables("HTTP_X_FORWARDED_FOR")
Request.ServerVariables("HTTP_VIA")

Can anyone tell me, how do I get the visitor's REAL IP address?

Reliably? you probably can't. There is nothing that forces the browser to
supply such information.

 

[Adrienne]

Gazing into my crystal ball I observed Bob Barrows writing in

Reliably? you probably can't. There is nothing that forces the browser
to supply such information.

And even if you can get the IP address, you do not know if is coming
from someone who uses AOL or another service where everyone gets the
same IP address. IP addresses are not that reliable - although Google is
returning local results based on IP address.

 

[Tim Slattery]

Reliably? you probably can't. There is nothing that forces the browser to
supply such information.

There has to be SOME address for the web server to send its response
to, which is REMOTE_ADDR. That may well be the address of an NAT
router, which is servicing several computers which have non-routable
addresses known only to that router. If that's the case, there's no
way you can get it, and it wouldn't be meaningful anyway.

Also, many (most?) ISPs use dynamic IP addresses, so a particular
address may be assigned to different people at different times.

 

[Toni]

Reliably? you probably can't. There is nothing that forces the browser to supply such
information.

Then, what is the BEST way to get the user's IP address?

 

[Bob Barrows]

...

Then, what is the BEST way to get the user's IP address?

a) Ask him. The biggest drawback to this approach is the user might not know
what what you mean by "real" ip address and even if he does, he might not
know his ip address.

b) Persuade him to let you install an ActiveX control on his machine to
provide the address via WMI.

c) You might be able to run a batch command or access WMI using an HTML
application (.hta)

I've no experience doing any of these so someone else will have to continue
help ing you here if any of these are possible.

I used to see a piece of javascript that purported to return the user's ip
address, but I have no idea how reliable that really was. Hmm, I've done a
google search and all the scripts I've found use the REMOTE_ADDR
servervariable which you cited above. So we're back to square one. That
variable will _sometime_ contain the user's real ip address. Other times, it
won't. Sorry.

 

[Adrienne]

Gazing into my crystal ball I observed Toni writing in

With available variables such as

Request.ServerVariables("REMOTE_ADDR")
Request.ServerVariables("HTTP_X_FORWARDED_FOR")
Request.ServerVariables("HTTP_VIA")

Can anyone tell me, how do I get the visitor's REAL IP address?

As others have said, there is no reliable way to get the real ip address,
especially if the users are using a service like AOL.

The question is, why do you need the user's real IP address? What do you
really need to do?

 

[Toni]

a) Ask him. The biggest drawback to this approach is the user might not know what what
you mean by "real" ip address and even if he does, he might not know his ip address.

Yeah. Sure.

b) Persuade him to let you install an ActiveX control on his machine to provide the
address via WMI.

Not an option.

c) You might be able to run a batch command or access WMI using an HTML application
(.hta)

I've no experience doing any of these so someone else will have to continue help ing
you here if any of these are possible.

I used to see a piece of javascript that purported to return the user's ip address,
but I have no idea how reliable that really was. Hmm, I've done a google search and
all the scripts I've found use the REMOTE_ADDR servervariable which you cited above.
So we're back to square one. That variable will _sometime_ contain the user's real ip
address. Other times, it won't. Sorry.

I've got a piece of javascript that returns the MAC address of the user's Ethernet
address. It's intrusive as hell, but it works.

Presently, I check HTTP_X_FORWARDED_FOR and if it's not null, I pull the first IP
address in the list. If it is null, I use REMOTE_ADDR. I find that this works 90% of the
time. I was just curious if anyone had more experience than me with this. I guess not.

 

[Toni]

Gazing into my crystal ball I observed Toni writing


As others have said, there is no reliable way to get the real ip address,
especially if the users are using a service like AOL.

Not true. See my other post.

The question is, why do you need the user's real IP address? What do you
really need to do?

The reasons are endless!

 

[Daniel Crichton]

Toni wrote on Sun, 14 Jun 2009 22:34:02 -0400:

"Adrienne" wrote...

Not true. See my other post.

The reasons are endless!

Really? What use is the internal IP address of a visitor where they are
using a non-routable address behind a NAT device?

Generally I find it's enough to use REMOTE_ADDR for my own sites, as this is
the address the user's connection is currently being routed from. I
sometimes will also check the following:

HTTP_X_FORWARDED_FOR
HTTP_CLIENT_IP
HTTP_X_FORWARD_FOR
HTTP_FORWARD_FOR
HTTP_X_FORWARD
HTTP_VIA

But I don't just use these blindly - I will use both the REMOTE_ADDR and any
found above that are not IANA non-routable addresses for checking against
various tables (such as IP blacklists and country lookups). I certainly
wouldn't say that the information from these is better than REMOTE_ADDR in
99% of cases, and in many cases may well cause problems - for instance, you
blacklist an address such as 192.168.1.1 and then find that a large
proportion of your visitor base is blocked from access.

What do you consider the real IP address to be? The one currently assigned
to the visitors PC? The one assigned to their router/modem? The one assigned
to their NAT device/proxy? All of these are "real", depending on how the
visitor's connection is configured, but generally only the router/modem and
NAT (if there is one) are of any use to you.

 

[Toni]

Toni wrote on Sun, 14 Jun 2009 22:34:02 -0400:




Really? What use is the internal IP address of a visitor where they are using a
non-routable address behind a NAT device?

Generally I find it's enough to use REMOTE_ADDR for my own sites, as this is the
address the user's connection is currently being routed from. I sometimes will also
check the following:

HTTP_X_FORWARDED_FOR
HTTP_CLIENT_IP
HTTP_X_FORWARD_FOR
HTTP_FORWARD_FOR
HTTP_X_FORWARD
HTTP_VIA

THANK YOU for this list - it is what I was looking for - I am going to start logging
this information so I can look for patterns.

But I don't just use these blindly - I will use both the REMOTE_ADDR and any found
above that are not IANA non-routable addresses for checking against various tables
(such as IP blacklists and country lookups). I certainly wouldn't say that the
information from these is better than REMOTE_ADDR in 99% of cases, and in many cases
may well cause problems - for instance, you blacklist an address such as 192.168.1.1
and then find that a large proportion of your visitor base is blocked from access.

What do you consider the real IP address to be? The one currently assigned to the
visitors PC? The one assigned to their router/modem? The one assigned to their NAT
device/proxy? All of these are "real", depending on how the visitor's connection is
configured, but generally only the router/modem and NAT (if there is one) are of any
use to you.

To get back to your original post: AOL dialup has gone the way of the dinosaur, it is
non-existent. As far as AOL broadband, I can speak to a membership site I have with
thousands of users and none are from AOL.

Second, the IP address that is as close to the visitor as possible, is the one I want.
I need to uniquely identify certain visitors, partly to discover their country of
origin. I do a reverse DNS to identify them and the COMPANY they are from. One example
is I'm working with a very large company to put information on the web that is only
accessible to their employees. I need to uniquely identify their employees, and I can
partially do this via the companies registered range of IP addresses. (Their IT
department is totally uncooperative - they consider themselves "keepers of the secrets"
and refuse to discuss how their network works, even with corporate execs, which is one
reason why I've been contracted to do this)

Daniel, thank you for the thoroughness of your answer - it is clear to me that you
understand the subject. I've learned a lot.

 

[Bob Barrows]

To get back to your original post: AOL dialup has gone the way of the
dinosaur, it is non-existent.

No, that is not at all true. My mother-in-law still uses it. She is far
from the only one still using it.

 

[Daniel Crichton]

Toni wrote on Mon, 15 Jun 2009 12:19:32 -0400:

"Daniel Crichton" wrote...

THANK YOU for this list - it is what I was looking for - I am going to
start logging this information so I can look for patterns.

To get back to your original post: AOL dialup has gone the way of the
dinosaur, it is non-existent. As far as AOL broadband, I can speak to
a membership site I have with thousands of users and none are from
AOL.

This is the first post I've made in this thread - and I never mentioned AOL


And I run 6 e-commerce sites, and we have loads of AOL users. Plus I have
run a few forum sites, and there are plenty on those too.

Second, the IP address that is as close to the visitor as possible, is
the one I want. I need to uniquely identify certain visitors, partly to
discover their
country of origin. I do a reverse DNS to identify them and the COMPANY
they are from.

Reverse DNS is not very efficient from a performance point of view. I use a
Geo IP database to determine the country of origin, this is much faster than
reverse DNS and I have it automatically updated on a daily basis.

One example is I'm working with a very large company to put information
on the web that is only accessible to their employees. I need to uniquely
identify their employees, and I can partially do this via the companies
registered range of IP addresses. (Their IT department is totally
uncooperative - they consider themselves "keepers of the secrets"
and refuse to discuss how their network works, even with corporate
execs, which is one reason why I've been contracted to do this)

Personally I would suggest to that IT department that they consider the use
of client side certificates, or a VLAN where the access can be controlled
much more closely. Relying on IP addresses alone is often the start of a
recipe for disaster. I'm assuming that you're also using client login
credentials on this site, and using NTLM/Kerberos as opposed to Basic auth,
along with SSL to help prevent sniffing login credentials over the wire?

Daniel, thank you for the thoroughness of your answer - it is clear to
me that you understand the subject. I've learned a lot.

Glad to hear I could help. I've spent 14 years building e-commerce sites for
the company I work for, and the past 4 years running my own forum sites, and
I've picked up a lot in that time. The IP tracking I do is mostly for the
e-commerce systems to help identify country of origin as part of the fraud
checks on ordering, and also to flag up potential known fraudsters - I don't
block just on the IP address, but flagging orders for further manual checks
goes a long way to helping combat fraud.

 

[Toni]

...
:

Glad to hear I could help. I've spent 14 years building e-commerce sites for the
company I work for, and the past 4 years running my own forum sites, and I've picked
up a lot in that time. The IP tracking I do is mostly for the e-commerce systems to
help identify country of origin as part of the fraud checks on ordering, and also to
flag up potential known fraudsters - I don't block just on the IP address, but
flagging orders for further manual checks goes a long way to helping combat fraud.

This is the other project I'm also doing, which is preventing fraud. I'll sometimes get
emails from my site notifying me that someone is attempting to do things they are not
supposed to do, and so I'll set a block on their IP address.

 

[Evertjan.]

Toni wrote on 19 jun 2009 in microsoft.public.inetserver.asp.general:

This is the other project I'm also doing, which is preventing fraud.
I'll sometimes get emails from my site notifying me that someone is
attempting to do things they are not supposed to do, and so I'll set a
block on their IP address.

... which shows you are not aware,

that "professional" hackers use another ip every attempt, and even within
an attempt often switch ip.

that you could block many many other and honest users of that ip address,
like for instance mobile users via G3/umts like connections, hotspot
connections, etc.

that the best way to prevent intrusion is continual analyzing and reparing
weak spots in your website.