Ruscoweb - Wordpress

The IP address of the client who sent the request can be useful for various tasks including auditing. I recently had to use the IP address to implement security auditing.

I found the HttpRequest.UserHostAddress property, however with some research discovered it will not always accurately return the correct result.

Http requests can travel from the origin to the destination via many different points on the internet. These can be proxies which will update the request header with its own IP address. The information being sent to the server is broken up into blocks, called packets.

For example:
A user is connected to the internet using a browser and has the IP address: 203.10.10.4.

They do a google search. They are sending a Http request to the IP address 74.125.67.100 (one of Google’s IPs).

Each packet will have the destination and origin IP address in the header. Packets may travel in different paths to get to the destination.

Say we have packet A:
Origin: 203.10.10.4

Packet A might be directed through the ISP proxy, which has the IP: 203.10.10.1.
The proxy will upate the header with the new IP and store the original IP in another variable in the header.

The destination will believe packet A orginated from 203.10.10.1, whereas it actually originated at 203.10.10.4.

We have to check all of the possible header variables to determine which was the original IP address. The following are the server variables:

• REMOTE_ADDR
• HTTP_X_FORWARDED_FOR

When the packet is created, the REMOTE_ADDR variable is set with 203.10.10.4. The proxy will update REMOTE_ADDR with 203.10.10.1 and set HTTP_X_FORWARDED_FOR with 203.10.10.4.

There is no requirements that proxies will updated the forward variable, so there is a chance we will not be able to get the correct IP address.

Here is a method that attempts to retrieve the client IP address:
///
/// Returns the IP address of the remote client.
///
public static string GetClientIPAddress(HttpContext context)
{



context.Request.UserHostAddress
string ipAddress = “”;

// Try to get the IP address if a proxy has redirected the traffic.
string ipAddressForwardedFor = context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
string ipAddressForwarded = context.Request.ServerVariables["HTTP_X_FORWARDED"];

// This is the same as context.Request.UserHostAddress
string ipAddressRemoteAddress = context.Request.ServerVariables["REMOTE_ADDR"];

// If there is no forwarded for ip address in the request header
if (string.IsNullOrEmpty(ipAddressForwardedFor))
{

// If there is no forwarded ip address in the request header
if (string.IsNullOrEmpty(ipAddressForwarded))
{
// No forwarded IP address, use the remote address.
ipAddress = ipAddressRemoteAddress;
}
else
{
// Forwarded ip address.
ipAddress = ipAddressForwarded;
}


}
else
{
// Forwarded ip address.
ipAddress = ipAddressForwardedFor;
}

return ipAddress;

}
As mentioned before, there is no guarantee that you will be able to retrieve the correct IP address. There are many factors that affect the reasons for this, including user privacy.  Some proxies are used simply to hide the IP address of the sender.

References:
http://haacked.com/archive/2006/10/11/A_Gotcha_Identifying_the_Users_IP_Address.aspx
http://msdn.microsoft.com/en-us/library/system.web.httprequest.userhostaddress.aspx
http://en.wikipedia.org/wiki/Packet_(information_technology)
http://proxy.org/

I currently have to open a new window in a web application. Here are my requirements:

1. Must be browser compatible for IE6/7/8, Firefox (all), Opera (all), Chrome and Safari
2. Must pass parameters to the new page (without using URL parameters)
3. Must return a value to the old page
4. Must know whether a window has already be opened, so only 1 is open at a time

According to this site, the target attribute for the anchor tag is being phased out. Therefore it is a better idea to use DOM in javascript to open the window. We need this anyway to meet the requirements for holding on to the new window reference.

I tried the first code example from this site, however it did not work in IE 7. I think a majority of this code is the correct way to go, so I need to work out why it failed in IE 7. I also noticed the resizable config setting had no effect in any of the browsers. That is fine, as this does not break any of the requirements.

I came across an interesting paragraph on the MSDN site, that mentions IE 7 in Windows Vista has access restrictions across process boundaries. It also mentions that when a new window is opened, it creates a new process. This may be an issue as it will make our requirements more difficult to meet.

The issue with IE 7 was related to the title text. I passed in a parameter like so:


function openWindow(url, title)
{
var win = window.open(url, ‘App - ‘ + title, config=”…”);
}


When I simply used:

var win = window.open(url, ‘App’, config=”…”);


Internet Explorer worked fine.

The resizable config setting appears to only work in Internet Explorer. I want consistent behaviour so I will not use this setting. The default value is resizable=no, so I have to explicitly say yes, I do want the window to be resizable. I am trying to make navigation easier for my users, not restrictive.

An object is returned after the window has been opened. This is the object I intend to use to pass the parameters to, be notified when the window has closed and retrieve the returned value. Here is my code so far:

Javascript

function openWindow(url)
{
var win = window.open (url, 'CHCR', config='height=300, \
width=520, toolbar=no, menubar=no, scrollbars=yes, resizable=yes, \
location=no, directories=no, status=no');

}

HTML
<div onclick=”openWindow(’../SuburbLookup.htm’);”>..</div>
This will open my window and meets requirement 1.

Stay tuned for further progress on my window.