Reputation: 143
Can i trust the value that is returned from ServerVariables["REMOTE_ADDR"]
I have a IIS hosted ASP.NET WebAPI app and im using ServerVariables["REMOTE_ADDR"] to get the client address and identify the user: client logs in and i will generate a cookie that contains the client IP. In subsequent calls i will get the IP from the cookie, and validate that it is correct.
Can i trust the address, or is there a way that ServerVariables["REMOTE_ADDR"] returns e.g. 161.121.222.223 and the client is really somewhere else?
Upvotes: 4
Views: 341
Answers (2)
Reputation: 2272
Yes, it's safe. It is the source IP of the TCP connection and can't be substituted by changing an HTTP header.
One case you may want to be worry of is if you are behind a reverse proxy in which case the REMOTE_ADDR will always be the IP of the proxy server and the user IP will be provided in an HTTP header (such as X-Forwarded-For). But for the normal use case reading REMOTE_ADDR is fine.
Taken from: Is it safe to trust $_SERVER['REMOTE_ADDR']?
Upvotes: 3
Reputation: 1037
Yes, it's reliable. It can't be modified by the client, except by simply connecting from another IP. (Proxy)
Upvotes: 0
Related Questions
- I want to try to check the IP using ServerVariables["REMOTE_ADDR"] but it keeps return 127.0.0.1
- Is the web server variable $_SERVER['REMOTE_ADDR'] reliable?
- Is it safe to trust $_SERVER['REMOTE_ADDR']?
- Why does ServerVariable["REMOTE_ADDR"] returns the server IP?
- ServerVariables["REMOTE_HOST"] returns internal IP?
- What is the difference between Request.ServerVariables["REMOTE_ADDR"] and Request.UserHostAddress?
- Can $_SERVER['REMOTE_ADDR'] be trusted?
- ASP.NET Request.ServerVariables["REMOTE_ADDR"] <<< gives the "physical" connection IP?
- Is Request.ServerVariables["REMOTE_ADDR"] reliable enough?