Home/ Questions/Q 86603
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T22:16:19+00:00

Let’s say we’re tracking the end-user IP for a web service: ip = Request.ServerVariables(HTTP_X_FORWARDED_FOR)

  • 0

Let’s say we’re tracking the end-user IP for a web service:

ip = Request.ServerVariables('HTTP_X_FORWARDED_FOR') If ip = '' Then     ip = Request.ServerVariables('REMOTE_ADDR') End If

I’ve read that this is the best method of retrieving end-user IP because it works even for users on a transparent proxy.

If we’re using the end-user IP address to filter malicious users, are there are any security implications with the above method instead of, say, just using Request.ServerVariables(‘REMOTE_ADDR’)?

For example, if we banned a malicious user by end-user IP, could they easily change their IP via a proxy and continue using our web service?

Thanks in advance for your help.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. REMOTE_ADDR is generated by the web server based on the connection from the client. HTTP_X_FORWARDED_FOR is based on a HTTP header sent by the client.

    You can’t trust input from the client, particularly input that is easily faked, such as HTTP headers. Clients can stick anything into that HTTP_X_FORWARDED_FOR header.

    • 0