I understand it's a standard practice to look at both these variables. Of course they can easily be spoofed. I'm curious how often can you expect these values (especially the HTTP_X_FORWARDED_FOR
) to contain genuine information and not just be scrambled or have their values stripped away?
Anyone with the experience or statistics on this stuff?
Is there anything else that can be useful for the task of getting the client's IP address?
In addition to
REMOTE_ADDR
andHTTP_X_FORWARDED_FOR
there are some other headers that can be set such as:HTTP_CLIENT_IP
HTTP_X_FORWARDED_FOR
can be comma delimited list of IPsHTTP_X_FORWARDED
HTTP_X_CLUSTER_CLIENT_IP
HTTP_FORWARDED_FOR
HTTP_FORWARDED
I found the code on the following site useful:
http://www.grantburton.com/?p=97
If you're behind a proxy, you should use
X-Forwarded-For
: http://en.wikipedia.org/wiki/X-Forwarded-ForIt is an IETF draft standard with wide support:
If not, here are a couple other common headers I've seen:
IP + "User Agent" could be a better for unique visitor.
I've ported Grant Burton's PHP code to an ASP.Net static method callable against the HttpRequestBase. It will optionally skip through any private IP ranges.
No real answer to your question but:
Generally relying on the clients IP address is in my opinion not a good practice as it is not usable to identify clients in a unique fashion.
Problems on the road are that there are quite a lot scenarios where the IP does not really align to a client:
I cannot offer any statistics on how many IP addresses are on average reliable but what I can tell you that it is almost impossible to tell if a given IP address is the real clients address.
It depends on the nature of your site.
I happen to work on a bit of software where IP tracking is important, and within a field consumed by parter sites I'd guess some 20% - 40% of requests are either detectably spoofed IPs or headers blanked out, depending on the time of day and where they came from. For a site which gets organic traffic (i.e. not through partners) I'd expect a much higher ratio of good IPs.
As Kosi said, be careful what you're doing with this - IPs are in no way a reliable way to identify unique visitors.