Security implications of Request.ServerVariables(“REMOTE_ADDR”) vs Request.ServerVariables(“HTTP_X_FORWARDED_FOR”)
Let's say we're tracking the end-user IP for a web service:
ip = Request.ServerVariables("HTTP_X_FORWARDED_FOR") If ip = "" Then ip = Request.ServerVariables("REMOTE_ADDR") End If
I've read that this is the best method of retrieving end-user IP because it works even for users on a transparent proxy.
If we're using the end-user IP address to filter malicious users, are there are any security implications with the above method instead of, say, just using Request.ServerVariables("REMOTE_ADDR")?
For example, if we banned a malicious user by end-user IP, could they easily change their IP via a proxy and continue using our web service?
Thanks in advance for your help.
REMOTE_ADDR is generated by the web server based on the connection from the client. HTTP_X_FORWARDED_FOR is based on a HTTP header sent by the client.
You can't trust input from the client, particularly input that is easily faked, such as HTTP headers. Clients can stick anything into that HTTP_X_FORWARDED_FOR header.