SiteCrafting Blah Blah Blog
Aug. 9, 2007 at 4:14pm
Getting the Client’s IP Address
There are a number of reasons why you may want to capture a web user's IP address. You may want to only allow certain IP addresses to view your website, to allow only one vote per IP address, track unique clicks on links and buttons, a location of web users on Google Maps using MASHUP, and whatever else you can think of.
Below are a couple of examples to get the client's IP address in PHP and ASP.net, along with a couple of things to watch for.
PHP Examples
You could use the following to get the client's IP address
<?
$client_ip = $_SERVER["REMOTE_ADDR"];
// MAC Xserve may also have this server variable
$client_ip = $_SERVER["PC-Remote-Addr"];?>
To confirm which one to use, try looking at all the server variables by using print_r( $_SERVER). Another one to look for is $_SERVER["HTTP_PC_REMOTE_ADDR). It depends on upon on the server, IIS has a different set of names, apache has it's own set, etc.
ASP.net Examples
Here are a couple of different methods in VB.net
<%dim strClientIp AS string = ""
strClientIp = Me.Request.UserHostAddress
' or use sever variables, just like the PHP examples
strClientIp = Me.Request.ServerVariables("LOCAL_ADDR")%>
If you're trying to capture the client IP inside of a class, use HttpContext.
<%
Public Class Client
Public IPAddress AS string
Sub New()
Me.IPAddress = HttpContext.Current.Request.UserHostAddress
End Sub
End Class
%>
What to watch for:
If the client's computer is inside of a network, the IP address will usually be the IP address of the router/firewall that connects to the Internet. Which could be a problem if your allowing one anonymous vote per IP address. If there are 20 computers within a network, then they could only have a total of one vote.
Other server variables to look out for:
The server variable HTTP_X_FORWARDED_FOR can also be used to find the client's IP address. Sometimes, this variable will have the computer's IP address inside of the network, which may be a worthless LAN address. However, this header can be easily faked and can also be a comma-separated list of IP addresses.
Another thing to watch for is how the router/firewall sends Internet traffic to the web server that is trying to capture the client's IP address. It's possible that the router/firewall has been setup to replace the REMOTE_ADDR or LOCAL_ADDR header values with a hard coded IP address. Setting the DMZ configuration for a router or running some code on the firewall can do this. For an example, download the Web Interface 4.0 troubleshooting guide and refer to the code on page 43.
The last item is one that caught me. For a client's intranet site, I was attempting to validate an intranet user by capturing their IP address and validating it to a list of valid IP addresses. However, when browsing from the internet, from several computers at different locations, the IP address kept coming up as a LAN address, such as 10.0.1.15. This was because of the way the client's IT department setup the DMZ configuration.
Posted in ASP.NET 2.0, Coding Techniques, From the Workbench, PHP by Ken Foubert
Comments (0)
Add your comment below