Getting The Real IP Of Your Users

Stop using the wrong IPs in your applications!
By Oli on Monday, 22nd May 2006. More information. Comments.

Learn the ins an outs of getting a users IP, even if they're using a proxy.

Languages
VB.net
C#
PHP
Java and JSP
ASP/VBScript
ColdFusion
Perl

There are a lot of sites around the internet that try and get your IP address. Most of their reasons are legitimate. For example Google Adsense will log your IP to see where the user clicking the advert is from (and kick you off if its the same IP you logged into that account with).

However, there are some sites that try to look at your IP for various reasons but do it wrong. Rapidshare is a beatifully painful example of this. If you're on an ISP that uses a transparent proxy, RapidShare will log the proxy address instead of the actual account IP. As they limit the downloading on a per-IP basis, that means everyone using that ISP, going through that proxy, has the same IP to Rapidshare, meaning the limit to how much you download is split among those users.

What I'm saying here is, if you're going to do your own IP lookups for whatever reason, do them correctly. My initial code here was in VB.net but since I have translated what its doing to the most popular server-side languages. As its based on the server variables, rather than the code's process, its quite easy to port to something else if you need to.

The lookup that these "incorrect" sites are doing is something like this:

Request.ServerVariables("REMOTE_ADDR")

What then need to be doing is comparing the HTTP_X_FORWARDED_FOR variable against it, to check that there isn't a non-transparent proxy in the way. Like so:

' Look for a proxy address first
Dim _ip As String = Request.ServerVariables("HTTP_X_FORWARDED_FOR")

' If there is no proxy, get the standard remote address
If (_ip = "" Or _ip.ToLower = "unknown") Then _
    _ip = Request.ServerVariables("REMOTE_ADDR")

This doesnt help people that are limited to (or otherwise) on anonymous proxies. They will hide the forwarding address (like they're supposed to) and therefore the lookup will ONLY get the proxy's address. Some ISPs do this by default to "protect" their users... Its just retarded. If you ISP does this, and you've been wondering why RS or other sites don't work... Now you know.

If you want to check against an existing "wrong site", try IP Chicken. It will return an incorrect value (eg the proxy). WhatsMyIP.org is one that will look through the proxy and should give you the correct IP.

Here are some more examples in other languages:

C#

// Look for a proxy address first
String _ip = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];

// If there is no proxy, get the standard remote address
If (_ip == "" || _ip.ToLower == "unknown")
    _ip = Request.ServerVariables["REMOTE_ADDR"];

PHP

Based on code from OxyScripts.

/**
* Call as: $userp = GetUserIP();
*/
function GetUserIP() {

    if (isset($_SERVER)) {

        if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))
            return $_SERVER["HTTP_X_FORWARDED_FOR"];
        
        if (isset($_SERVER["HTTP_CLIENT_IP"]))
            return $_SERVER["HTTP_CLIENT_IP"];

        return $_SERVER["REMOTE_ADDR"];
    }

    if (getenv('HTTP_X_FORWARDED_FOR'))
        return getenv('HTTP_X_FORWARDED_FOR');

    if (getenv('HTTP_CLIENT_IP'))
        return getenv('HTTP_CLIENT_IP');

    return getenv('REMOTE_ADDR');
}

Java and JSP

String ipaddress = request.getHeader("HTTP_X_FORWARDED_FOR");

if (ipaddress  == null)
    ipaddress = request.getRemoteAddr();

ASP/VBScript

ipaddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
if ipaddress = "" then
    ipaddress = Request.ServerVariables("REMOTE_ADDR")
end if

ColdFusion

<CFCOMPONENT>
    <CFIF #CGI.HTTP_X_Forwarded_For# EQ "">
        <CFSET ipaddress="#CGI.Remote_Addr#">
    <CFELSE>
        <CFSET ipaddress="#CGI.HTTP_X_Forwarded_For#">
    </CFIF>
</CFCOMPONENT>

Perl

$IPAddress = $ENV{HTTP_X_FORWARDED_FOR};

if ($IPAddress == "") {
    $IPAddress = $ENV{HTTP_X_FORWARDED_FOR};
}

If you know anymore, just ping them in my general direction and they can be added.

Grav

Written by Oli on Monday, 22 May 2006. Tagged with ip, programming, webdev, vb.net, c#, php, java, jsp, asp, coldfusion, perl. Read 30628 times. If you liked it, please give it a digg.

1 to 10 of 26 < 1 2 3 >
#1 /* 4 years, 8 months ago */
very useful to me and solved my problem
Quote
Gravatar prashant Anonymous User
#2 /* 3 years, 4 months ago */
WhatsMyIP.org returned the Proxy server IP when I switched to it. The proxy host is running "ccproxy"
Quote
Gravatar Chud Anonymous User
#3 /* 3 years, 2 months ago */
I heard there's a test here that will determine if I'm human...
Quote
Gravatar am I human Anonymous User
#4 /* 3 years, 12 months ago */
Your ASP code is missing an essential bit (that you had in your VB at the top). In ASP you still need to verify that the HTTP_X_FORWARDED FOR value isn't returning "unknown":

userIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If userIPAddress = "" or Trim(LCase(userIPAddress)) = "unknown" Then
userIPAddress = Request.ServerVariables("REMOTE_ADDR")
End If
Quote
Gravatar Kevin Anonymous User
#5 /* 3 years, 11 months ago */
I would check for null value first:

HttpRequest currentRequest = HttpContext.Current.Request;
string ipAddress = currentRequest.ServerVariables["HTTP_X_FORWARDED_FOR"];

if (string.IsNullOrEmpty(ipAddress) || ipAddress.Equals("unknown", StringComparison.OrdinalIgnoreCase))
ipAddress = currentRequest.ServerVariables["REMOTE_ADDR"];
Quote
Gravatar DalSoft Anonymous User
#6 — Author comment /* 3 years, 11 months ago */
I'm pretty sure that's not needed, DalSoft because the string is coming from ServerVariables... IFAIK, ServerVariables will always have the values available, just == String.Empty if they're blank.
QuoteSiteProfile
Gravatar Oli Numero Uno
#7 /* 3 years, 9 months ago */
can i change or hide my real ip?
honestly..i've tried to use alot of proxies..they changed my ip on whatismyipaddress.com and ipchicken.com...
but when i use http://www.ip2location.com ... they trace my real ip and proxy ip ..
they turn my fucking spirit down man...
so...how to change real ip address...

thanx boss... ya da best
Quote
Gravatar taby Anonymous User
#8 /* 2 years, 6 months ago */
Hi,
Nothing workout for me. I am getting firewall IP.SSL enabled.

Request.ServerVariables("HTTP_X_FORWARDED_FOR") returned Empty
Request.UserHostAddress returned Firewall IP
Request.ServerVariables("REMOTE_ADDR") returned Firewall IP

How I can get the visitor IP? I need to do any settings? pls advice...

Thanks
Quote
Gravatar leoiser Anonymous User
#9 — Author comment /* 2 years, 6 months ago */
leoiser, if it's a router using NAT, then there's no chance of getting the IP because they (usually - 99.9% of the time) don't pass this information on.

These techniques will only work for proxies that aren't ''anonymous''
QuoteSiteProfile
Gravatar Oli Numero Uno
#10 /* 2 years, 6 months ago */
HTTP_X_FORWARDED_FOR is trivial to manipulate, don't rely on it for anything. It can also contain multiple ips
Quote
Gravatar fredx Anonymous User
1 to 10 of 26 < 1 2 3 >

Don't just sit there like a lemon! Reply!

Got something to say? Now's the time to share it with the author and everybody else that reads this posting! Lemons need not apply.

edtBOX - xHTML: yes - bbcode:no
Latest Posts
  1. Debranding and Unlocking a Samsung M8800 Pixon
  2. Facebook worm
  3. My issues with Linux et al
Greatest Posts
  1. Bootable USB Flash Drive
  2. What Really Slows Windows Down
  3. What Slows Windows Down?
Latest Elsewhere
Home | Advertise | About | Contact | Legal © Oli Warner 2001—2007 Proud 9rules member