We have a requirement to capture the IP address of the end user machine who is browsing the web site.
The method getRemoteAddr() on the Request interface gives the IP address of the last proxy that send the request. So this is out of choice.
In search of the same, i was studying the http headers and found "X_FORWARDED_FOR" http header contains the comma separated IP address of all the nodes through which the request has been made, and the first one of them should be ideally the end users IP address.
But after implementing this solution, i was very happy to see the required result, but later on found, it doesn't always had the IP address of the end user as the first one, it sometimes has the one of the middle nodes(proxy server or router or gateway..) IP addresses.
Please let me know if my understanding of "X_FORWARDED_FOR" is correct and if so why is it not having the IP address of the end user always.
Or is there any other way of capturing the same. Our environment is simple JSP/Servlets on tomcat server.
Though I have not googled for the same header.But if there is any such header then it has to be enabled in the client and all the intermediate nodes through it passes.I have not encountered anything like that in IE nor in firefox.
One more thing which makes me feel that it may not be implemented properly as routers will just do some intelligent stuff to route the IP packets.Will the routers bother to add its ip in the X-HEADER-.. list of IP's. [ June 17, 2007: Message edited by: Rahul Bhattacharjee ]
If your requirement envisions getting the local IP address that my computer has in my private LAN, instead of the Class-A IP address of the proxy that connects me to the Internet, then I think your requirement needs to be reviewed.
Its no point capturing the IP address within the LAN, because it wont be of any help. We need the first Class A IP address. And that http header X_FORWARDED_FOR sometimes does not have the first proxy that connects to the internet.
I do agree with you, IP spoofing can be done @ routers, or they might even remove the header as such. I am not expecting 100 % fool proof solution. But if we could get we need the first proxy IP address.
Anyways thanks for your thoughts.
Regards, Srivatsa Katta
this is supposed to be a surprise, but it smells like a tiny ad: