Security implications of Request.ServerVariables("REMOTE_ADDR") vs Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Let's say we're tracking the end-user IP for a web service:

ip = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If ip = "" Then
    ip = Request.ServerVariables("REMOTE_ADDR")
End If

I've read that this is the best method of retrieving end-user IP because it works even for users on a transparent proxy.

If we're using the end-user IP address to filter malicious users, are there are any security implications with the above method instead of, say, just using Request.ServerVariables("REMOTE_ADDR")?

For example, if we banned a malicious user by end-user IP, could they easily change their IP via a proxy and continue using our web service?

Thanks in advance for your help.


REMOTE_ADDR is generated by the web server based on the connection from the client. HTTP_X_FORWARDED_FOR is based on a HTTP header sent by the client.

You can't trust input from the client, particularly input that is easily faked, such as HTTP headers. Clients can stick anything into that HTTP_X_FORWARDED_FOR header.

If the users are using a transparent proxy then the above code will get the real IP address. If they're using an anonymous proxy, though (like Anonymizer) then there's really no way to get the users actual IP address.

Need Your Help

Customizing Visual Studio

c# winforms visual-studio

I have been working with Visual Studio (WinForm and ASP.NET applications using mostly C#) for several months now. For the most part my IDE is set up fairly standard but I have been wondering what ...

HTML 5 app to use buttons on phone using phonegap

android html5 cordova

I am trying to make a mobile app in html 5 using PhoneGap.