Gotcha: HTTP_X_FORWARDED_FOR returns multiple IP addresses
I hit a small gotcha this evening. A visitor to Developer Fusion reported that they couldn’t gain access to the site at all, because our IP address detection logic was failing. We were checking the “HTTP_X_FORWARDED_FOR” header for an IP address, before falling back to REMOTE_ADDR, turning the IP into a long integer, and doing an IP-to-country lookup in our database. Which seemed safe enough!
As it turns out, HTTP_X_FORWARDED_FOR can sometimes have a comma delimited list of IP addresses – so what we actually needed to be doing was take the last IP address in that list, before doing our conversion to an integer.
Thanks go out to Francois Botha, one of our visitors, for helping me track down this issue!
Thank you James for solving this problem. We will update the source codes in IP2Location.
Kim
24 Jun 07 at 12:10 am
Damn. I”ve written apps using this property and never knew it could send more than one IP. Thanks for the heads-up
http://
26 Jun 07 at 10:36 am
In which order is the comma delimited list returned?. For example, if I am trying to get “the” original ip, is it first in the list (always)?
http://
11 Jul 07 at 1:39 pm
i ran into this about a year ago, and wrote this snippet as a workaround. Only tested it with a few proxies (Google translate, etc.), so no guarantees…
if (!empty($_SERVER[''HTTP_X_FORWARDED_FOR'']))
$ip = $_SERVER[''HTTP_X_FORWARDED_FOR''];
else
$ip = $_SERVER[''REMOTE_ADDR''];
// When viewed through an anonymous proxy, the address string
// contans multiple ip#s separated hy commas. This fixes that.
$ip_array = explode(“,”, $ip);
$ip = $ip_array[0];
http://
3 Sep 07 at 10:47 am
:neokio
instead of using first member from $_SERVER[''HTTP_X_FORWARDED_FOR''] retuning comma delimited value.
shouldn”t we be using the last member of the array ?
something like,
$ip = $ip_array[ COUNT($ip_array) as Computed - 1 ];
???
http://
1 May 08 at 11:44 am
Thanks Viral and Neokio. The added line from Viral looks good and works for me. I was looking for a function like explode… so this is perfect.
http://
10 Jun 08 at 1:01 pm
substr($_SERVER[''HTTP_X_FORWARDED_FOR''], 0, 15);
if the first ip is the goal then this should suffice, no need for explode. But I am not at all clear if the goal the first IP or the last.
http://
9 Aug 08 at 11:34 am
I”m just taking care of this for myself…
if (!isset($_SERVER[''REMOTE_ADDR'']) && isset($_SERVER[''HTTP_X_FORWARDED_FOR'']))
{
$IP = array_pop(explode(”,”,$_SERVER[''HTTP_X_FORWARDED_FOR'']));
}
I think that should do it.
Dave Lozier
28 Oct 08 at 1:16 am
does anyone have an example in classic ASP?
http://
5 Nov 08 at 3:31 pm
substr($_SERVER[''HTTP_X_FORWARDED_FOR''], 0, 15); Ip addresses could be smaller then 15 chars for example AA.BB.CC.DD is less then 15 chars and still valid. An alternative to explode would be strpos to find the position of the coma and substr from 0 to coma
http://
28 Nov 08 at 11:15 am
var cSharpGoodness = Request.ServerVariables(“HTTP_X_FORWARDED_FOR”).Split(”,”).Last();
http://
12 Dec 08 at 3:59 am
$ip = $_SERVER[''HTTP_X_FORWARDED_FOR''];
if (($pos = strrpos($ip, ”,”)) !== false) {
$ip = substr($ip, $pos+1);
}
http://
13 Dec 08 at 11:37 pm
It is worth looking at http://en.wikipedia.org/wiki/X-Forwarded-For for background on this.
http://
22 Mar 10 at 12:16 pm
re: tempest on 09 August, 2008
While an IPs maximum length is 15, it won”t always be the case…
substr($_SERVER[''HTTP_X_FORWARDED_FOR''], 0, strpos($_SERVER[''HTTP_X_FORWARDED_FOR''], ”,”));
randy
28 Apr 10 at 5:23 pm