Why use HTTP_X_FORWARDED_FOR?

[smengler]

Hi, I was wondering why people use $_SERVER['HTTP_X_FORWARDED_FOR'] in PHP for getting the user's IP address. If you look at the page http://roshanbh.com.np/2007/12/getti...ss-in-php.html (there's many others that are similar), they recommend using HTTP_X_FORWARDED_FOR before REMOTE_ADDR. I can easily modify my http headers to trick it into thinking I'm from any IP address. Anyone know why people use it then?

[Alan]

Hi, I was wondering why people use $_SERVER['HTTP_X_FORWARDED_FOR'] in PHP for getting the user's IP address. If you look at the page http://roshanbh.com.np/2007/12/getti...ss-in-php.html (there's many others that are similar), they recommend using HTTP_X_FORWARDED_FOR before REMOTE_ADDR. I can easily modify my http headers to trick it into thinking I'm from any IP address. Anyone know why people use it then?

You could, but there are multiple ways of identifying a client. The basics include IP address, user agent, operating system, cookies etc. As mentioned in the link you posted, proxy servers may be used to mask a user's ip, while this is true, the new IP isn't wrong, the connection is still coming from the proxy server. HTTP_X_FORWARDED_FOR may contain the IP of the originating client and all the proxy servers, or it may not. It is just an added piece of information that shouldn't be treated as fact.

"A web server should log BOTH the request's source IP and the X-Forwarded-For header information for completeness." - Wikipedia