Home All Groups Group Topic Archive Search About

What is the real IP address of the site visitor?

microsoft.public.inetserver.asp.general
Author
10 Jun 2009 10:56 PM
Toni
With available variables such as

Request.ServerVariables("REMOTE_ADDR")
Request.ServerVariables("HTTP_X_FORWARDED_FOR")
Request.ServerVariables("HTTP_VIA")

Can anyone tell me, how do I get the visitor's REAL IP address?

Author
11 Jun 2009 12:33 AM
Bob Barrows
Toni wrote:
> With available variables such as
>
> Request.ServerVariables("REMOTE_ADDR")
> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
> Request.ServerVariables("HTTP_VIA")
>
> Can anyone tell me, how do I get the visitor's REAL IP address?

Reliably? you probably can't. There is nothing that forces the browser to
supply such information.

--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Are all your drivers up to date? click for free checkup

Author
11 Jun 2009 2:22 AM
Adrienne
Gazing into my crystal ball I observed Bob Barrows writing in
<ugX13wi6JHA.5***@TK2MSFTNGP04.phx.gbl>:

> Toni wrote:
>> With available variables such as
>>
>> Request.ServerVariables("REMOTE_ADDR")
>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>> Request.ServerVariables("HTTP_VIA")
>>
>> Can anyone tell me, how do I get the visitor's REAL IP address?
>
> Reliably? you probably can't. There is nothing that forces the browser
> to supply such information.



And even if you can get the IP address, you do not know if is coming
from someone who uses AOL or another service where everyone gets the
same IP address.  IP addresses are not that reliable - although Google is
returning local results based on IP address.


--
Adrienne Boswell at Home
Arbpen Web Site Design Services http://www.cavalcade-of-coding.info
Please respond to the group so others can share
Author
11 Jun 2009 12:57 PM
Tim Slattery
"Bob Barrows" <reb01501@NOyahoo.SPAMcom> wrote:

>Toni wrote:
>> With available variables such as
>>
>> Request.ServerVariables("REMOTE_ADDR")
>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>> Request.ServerVariables("HTTP_VIA")
>>
>> Can anyone tell me, how do I get the visitor's REAL IP address?
>
>Reliably? you probably can't. There is nothing that forces the browser to
>supply such information.

There has to be SOME address for the web server to send its response
to, which is REMOTE_ADDR. That may well be the address of an NAT
router, which is servicing several computers which have non-routable
addresses known only to that router. If that's the case, there's no
way you can get it, and it wouldn't be meaningful anyway.

Also, many (most?) ISPs use dynamic IP addresses, so a particular
address may be assigned to different people at different times.

--
Tim Slattery
MS MVP(Shell/User)
Slatter***@bls.gov
http://members.cox.net/slatteryt
Author
14 Jun 2009 11:09 PM
Toni
"Bob Barrows" wrote...
> Toni wrote:
>> With available variables such as
>>
>> Request.ServerVariables("REMOTE_ADDR")
>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>> Request.ServerVariables("HTTP_VIA")
>>
>> Can anyone tell me, how do I get the visitor's REAL IP address?
>
> Reliably? you probably can't. There is nothing that forces the browser to supply such
> information.

Then, what is the BEST way to get the user's IP address?
Author
15 Jun 2009 12:00 AM
Bob Barrows
Toni wrote:
Show quoteHide quote
> "Bob Barrows" wrote...
>> Toni wrote:
>>> With available variables such as
>>>
>>> Request.ServerVariables("REMOTE_ADDR")
>>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>>> Request.ServerVariables("HTTP_VIA")
>>>
>>> Can anyone tell me, how do I get the visitor's REAL IP address?
>>
>> Reliably? you probably can't. There is nothing that forces the
>> browser to supply such information.
>
> Then, what is the BEST way to get the user's IP address?

a) Ask him. The biggest drawback to this approach is the user might not know
what what you mean by "real" ip address and even if he does, he might not
know his ip address.

b) Persuade him to let you install an ActiveX control on his machine to
provide the address via WMI.

c) You might be able to run a batch command or access WMI using an HTML
application (.hta)

I've no experience doing any of these so someone else will have to continue
help ing you here if any of these are possible.

I used to see a piece of javascript that purported to return the user's ip
address, but I have no idea how reliable that really was. Hmm, I've done a
google search and all the scripts I've found use the REMOTE_ADDR
servervariable which you cited above. So we're back to square one. That
variable will _sometime_ contain the user's real ip address. Other times, it
won't. Sorry.


--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
Author
15 Jun 2009 2:32 AM
Toni
"Bob Barrows" wrote...
Show quoteHide quote
> Toni wrote:
>> "Bob Barrows" wrote...
>>> Toni wrote:
>>>> With available variables such as
>>>>
>>>> Request.ServerVariables("REMOTE_ADDR")
>>>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>>>> Request.ServerVariables("HTTP_VIA")
>>>>
>>>> Can anyone tell me, how do I get the visitor's REAL IP address?
>>>
>>> Reliably? you probably can't. There is nothing that forces the
>>> browser to supply such information.
>>
>> Then, what is the BEST way to get the user's IP address?
>
> a) Ask him. The biggest drawback to this approach is the user might not know what what
> you mean by "real" ip address and even if he does, he might not know his ip address.

Yeah. Sure.


>
> b) Persuade him to let you install an ActiveX control on his machine to provide the
> address via WMI.

Not an option.

>
> c) You might be able to run a batch command or access WMI using an HTML application
> (.hta)
>
> I've no experience doing any of these so someone else will have to continue help ing
> you here if any of these are possible.
>
> I used to see a piece of javascript that purported to return the user's ip address,
> but I have no idea how reliable that really was. Hmm, I've done a google search and
> all the scripts I've found use the REMOTE_ADDR servervariable which you cited above.
> So we're back to square one. That variable will _sometime_ contain the user's real ip
> address. Other times, it won't. Sorry.

I've got a piece of javascript that returns the MAC address of the user's Ethernet
address. It's intrusive as hell, but it works.

Presently, I check HTTP_X_FORWARDED_FOR and if it's not null, I pull the first IP
address in the list. If it is null, I use REMOTE_ADDR. I find that this works 90% of the
time. I was just curious if anyone had more experience than me with this. I guess not.
Author
15 Jun 2009 2:05 AM
Adrienne
Gazing into my crystal ball I observed Toni writing in
<uHTTC7h6JHA.3***@TK2MSFTNGP03.phx.gbl>:

> With available variables such as
>
> Request.ServerVariables("REMOTE_ADDR")
> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
> Request.ServerVariables("HTTP_VIA")
>
> Can anyone tell me, how do I get the visitor's REAL IP address?

As others have said, there is no reliable way to get the real ip address,
especially if the users are using a service like AOL.

The question is, why do you need the user's real IP address?  What do you
really need to do?


--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share
Author
15 Jun 2009 2:34 AM
Toni
"Adrienne" wrote...
> Gazing into my crystal ball I observed Toni writing
>
>> With available variables such as
>>
>> Request.ServerVariables("REMOTE_ADDR")
>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>> Request.ServerVariables("HTTP_VIA")
>>
>> Can anyone tell me, how do I get the visitor's REAL IP address?
>
> As others have said, there is no reliable way to get the real ip address,
> especially if the users are using a service like AOL.

Not true. See my other post.

> The question is, why do you need the user's real IP address?  What do you
> really need to do?

The reasons are endless!
Author
15 Jun 2009 11:49 AM
Daniel Crichton
Toni wrote  on Sun, 14 Jun 2009 22:34:02 -0400:

Show quoteHide quote
> "Adrienne" wrote...
>> Gazing into my crystal ball I observed Toni writing

>>> With available variables such as

>>> Request.ServerVariables("REMOTE_ADDR")
>>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>>> Request.ServerVariables("HTTP_VIA")

>>> Can anyone tell me, how do I get the visitor's REAL IP address?

>> As others have said, there is no reliable way to get the real ip
>> address, especially if the users are using a service like AOL.

> Not true. See my other post.

>> The question is, why do you need the user's real IP address?  What do
>> you really need to do?

> The reasons are endless!

Really? What use is the internal IP address of a visitor where they are
using a non-routable address behind a NAT device?

Generally I find it's enough to use REMOTE_ADDR for my own sites, as this is
the address the user's connection is currently being routed from. I
sometimes will also check the following:

HTTP_X_FORWARDED_FOR
HTTP_CLIENT_IP
HTTP_X_FORWARD_FOR
HTTP_FORWARD_FOR
HTTP_X_FORWARD
HTTP_VIA

But I don't just use these blindly - I will use both the REMOTE_ADDR and any
found above that are not IANA non-routable addresses for checking against
various tables (such as IP blacklists and country lookups). I certainly
wouldn't say that the information from these is better than REMOTE_ADDR in
99% of cases, and in many cases may well cause problems - for instance, you
blacklist an address such as 192.168.1.1 and then find that a large
proportion of your visitor base is blocked from access.

What do you consider the real IP address to be? The one currently assigned
to the visitors PC? The one assigned to their router/modem? The one assigned
to their NAT device/proxy? All of these are "real", depending on how the
visitor's connection is configured, but generally only the router/modem and
NAT (if there is one) are of any use to you.

--
Dan
Author
15 Jun 2009 4:19 PM
Toni
"Daniel Crichton" wrote...
Show quoteHide quote
> Toni wrote  on Sun, 14 Jun 2009 22:34:02 -0400:
>
>> "Adrienne" wrote...
> >> Gazing into my crystal ball I observed Toni writing
>
> >>> With available variables such as
>
> >>> Request.ServerVariables("REMOTE_ADDR")
> >>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
> >>> Request.ServerVariables("HTTP_VIA")
>
> >>> Can anyone tell me, how do I get the visitor's REAL IP address?
>
> >> As others have said, there is no reliable way to get the real ip
> >> address, especially if the users are using a service like AOL.
>
>> Not true. See my other post.
>
> >> The question is, why do you need the user's real IP address?  What do
> >> you really need to do?
>
>> The reasons are endless!
>
> Really? What use is the internal IP address of a visitor where they are using a
> non-routable address behind a NAT device?
>
> Generally I find it's enough to use REMOTE_ADDR for my own sites, as this is the
> address the user's connection is currently being routed from. I sometimes will also
> check the following:
>
> HTTP_X_FORWARDED_FOR
> HTTP_CLIENT_IP
> HTTP_X_FORWARD_FOR
> HTTP_FORWARD_FOR
> HTTP_X_FORWARD
> HTTP_VIA

THANK YOU for this list - it is what I was looking for - I am going to start logging
this information so I can look for patterns.

Show quoteHide quote
>
> But I don't just use these blindly - I will use both the REMOTE_ADDR and any found
> above that are not IANA non-routable addresses for checking against various tables
> (such as IP blacklists and country lookups). I certainly wouldn't say that the
> information from these is better than REMOTE_ADDR in 99% of cases, and in many cases
> may well cause problems - for instance, you blacklist an address such as 192.168.1.1
> and then find that a large proportion of your visitor base is blocked from access.
>
> What do you consider the real IP address to be? The one currently assigned to the
> visitors PC? The one assigned to their router/modem? The one assigned to their NAT
> device/proxy? All of these are "real", depending on how the visitor's connection is
> configured, but generally only the router/modem and NAT (if there is one) are of any
> use to you.
>
> --
> Dan

To get back to your original post: AOL dialup has gone the way of the dinosaur, it is
non-existent. As far as AOL broadband, I can speak to a membership site I have with
thousands of users and none are from AOL.

Second, the IP address that  is as close to the visitor as possible, is the one I want.
I need to uniquely identify certain visitors, partly to discover their country of
origin. I do a reverse DNS to identify them and the COMPANY they are from. One example
is I'm working with a very large company to put information on the web that is only
accessible to their employees. I need to uniquely identify their employees, and I can
partially do this via the companies registered range of IP addresses. (Their IT
department is totally uncooperative - they consider themselves "keepers of the secrets"
and refuse to discuss how their network works, even with corporate execs, which is one
reason why I've been contracted to do this)

Daniel, thank you for the thoroughness of your answer - it is clear to me that you
understand the subject. I've learned a lot.
Author
15 Jun 2009 6:25 PM
Bob Barrows
Toni wrote:
> To get back to your original post: AOL dialup has gone the way of the
> dinosaur, it is non-existent.

No, that is not at all true. My mother-in-law still uses it. She is far
from the only one still using it.


--
HTH,
Bob Barrows
Author
16 Jun 2009 7:54 AM
Daniel Crichton
Toni wrote  on Mon, 15 Jun 2009 12:19:32 -0400:

Show quoteHide quote
> "Daniel Crichton" wrote...
>> Toni wrote  on Sun, 14 Jun 2009 22:34:02 -0400:

>>> "Adrienne" wrote...
>>>> Gazing into my crystal ball I observed Toni writing

>>>>> With available variables such as

>>>>> Request.ServerVariables("REMOTE_ADDR")
>>>>> Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>>>>> Request.ServerVariables("HTTP_VIA")

>>>>> Can anyone tell me, how do I get the visitor's REAL IP address?

>>>> As others have said, there is no reliable way to get the real ip
>>>> address, especially if the users are using a service like AOL.

>>> Not true. See my other post.

>>>> The question is, why do you need the user's real IP address?  What
>>>> do you really need to do?

>>> The reasons are endless!

>> Really? What use is the internal IP address of a visitor where they
>> are using a  non-routable address behind a NAT device?

>> Generally I find it's enough to use REMOTE_ADDR for my own sites, as
>> this is the  address the user's connection is currently being routed
>> from. I sometimes will also  check the following:

>> HTTP_X_FORWARDED_FOR
>> HTTP_CLIENT_IP
>> HTTP_X_FORWARD_FOR
>> HTTP_FORWARD_FOR
>> HTTP_X_FORWARD
>> HTTP_VIA

> THANK YOU for this list - it is what I was looking for - I am going to
> start logging  this information so I can look for patterns.


>> But I don't just use these blindly - I will use both the REMOTE_ADDR
>> and any found  above that are not IANA non-routable addresses for
>> checking against various tables  (such as IP blacklists and country
>> lookups). I certainly wouldn't say that the  information from these
>> is better than REMOTE_ADDR in 99% of cases, and in many cases  may
>> well cause problems - for instance, you blacklist an address such as
>> 192.168.1.1  and then find that a large proportion of your visitor
>> base is blocked from access.

>> What do you consider the real IP address to be? The one currently
>> assigned to the  visitors PC? The one assigned to their router/modem?
>> The one assigned to their NAT  device/proxy? All of these are "real",
>> depending on how the visitor's connection is  configured, but
>> generally only the router/modem and NAT (if there is one) are of any
>> use to you.

>> --
>> Dan

> To get back to your original post: AOL dialup has gone the way of the
> dinosaur, it is  non-existent. As far as AOL broadband, I can speak to
> a membership site I have with  thousands of users and none are from
> AOL.

This is the first post I've made in this thread - and I never mentioned AOL
;)

And I run 6 e-commerce sites, and we have loads of AOL users. Plus I have
run a few forum sites, and there are plenty on those too.

> Second, the IP address that  is as close to the visitor as possible, is
> the one I want. I need to uniquely identify certain visitors, partly to
> discover their
> country of  origin. I do a reverse DNS to identify them and the COMPANY
> they are from.

Reverse DNS is not very efficient from a performance point of view. I use a
Geo IP database to determine the country of origin, this is much faster than
reverse DNS and I have it automatically updated on a daily basis.

> One example  is I'm working with a very large company to put information
> on the web that is only  accessible to their employees. I need to uniquely
> identify their employees, and I can  partially do this via the companies
> registered range of IP addresses. (Their IT department is totally
> uncooperative - they consider themselves "keepers of the secrets"
> and refuse to discuss how their network works, even with corporate
> execs, which is one  reason why I've been contracted to do this)

Personally I would suggest to that IT department that they consider the use
of client side certificates, or a VLAN where the access can be controlled
much more closely. Relying on IP addresses alone is often the start of a
recipe for disaster. I'm assuming that you're also using client login
credentials on this site, and using NTLM/Kerberos as opposed to Basic auth,
along with SSL to help prevent sniffing login credentials over the wire?

> Daniel, thank you for the thoroughness of your answer - it is clear to
> me that you  understand the subject. I've learned a lot.

Glad to hear I could help. I've spent 14 years building e-commerce sites for
the company I work for, and the past 4 years running my own forum sites, and
I've picked up a lot in that time. The IP tracking I do is mostly for the
e-commerce systems to help identify country of origin as part of the fraud
checks on ordering, and also to flag up potential known fraudsters - I don't
block just on the IP address, but flagging orders for further manual checks
goes a long way to helping combat fraud.

--
Dan
Author
19 Jun 2009 6:48 PM
Toni
"Daniel Crichton" wrote...
:
> Glad to hear I could help. I've spent 14 years building e-commerce sites for the
> company I work for, and the past 4 years running my own forum sites, and I've picked
> up a lot in that time. The IP tracking I do is mostly for the e-commerce systems to
> help identify country of origin as part of the fraud checks on ordering, and also to
> flag up potential known fraudsters - I don't block just on the IP address, but
> flagging orders for further manual checks goes a long way to helping combat fraud.

This is the other project I'm also doing, which is preventing fraud. I'll sometimes get
emails from my site notifying me that someone is attempting to do things they are not
supposed to do, and so I'll set a block on their IP address.

Bookmark and Share

Post Other interesting topics
ASP.NET and HTML
pass stored procedure parameters in asp
Select INTO, UNION
How to host a site on a closed network
ASP 0126
technology choice
Getting input in Multi Laguage
Include Files > asp to aspx - vbscript to vb.net
II6 -> II7 with classic ASP
Set regEx = nothing ?