Security implications of Request.ServerVariables(“REMOTE_ADDR”) vs Request.ServerVariables(“HTTP_X_FORWARDED_FOR”)

Let's say we're tracking the end-user IP for a web service:

ip = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If ip = "" Then
    ip = Request.ServerVariables("REMOTE_ADDR")
End If

I've read that this is the best method of retrieving end-user IP because it works even for users on a transparent proxy.

If we're using the end-user IP address to filter malicious users, are there are any security implications with the above method instead of, say, just using Request.ServerVariables("REMOTE_ADDR")?

For example, if we banned a malicious user by end-user IP, could they easily change their IP via a proxy and continue using our web service?

Thanks in advance for your help.


REMOTE_ADDR is generated by the web server based on the connection from the client. HTTP_X_FORWARDED_FOR is based on a HTTP header sent by the client.

You can't trust input from the client, particularly input that is easily faked, such as HTTP headers. Clients can stick anything into that HTTP_X_FORWARDED_FOR header.

Need Your Help

jQM Back Button with notext howto?

javascript jquery-mobile

My jQM App, I added "$.mobile.toolbar.prototype.options.addBackBtn = true;" to auto show back button on every page (except first page).

Are PHP cookies and 'JS' cookies the same?

php javascript cookies

If i set a cookie in PHP with the setcookie() function, can i access that with javascript cookie api, in other words are the php and javascript cookie access interchangeable?

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.