Tech Off Thread

10 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

How C9 should record IPs -

Back to Forum: Tech Off
  • User profile image
    Manip

    I am using a 'transparent cache service' which is a
    proxy forced on me by my ISP (so they can save
    bandwidth). So if you check my IP by the normal
    method you will get the cache server (thus multiple
    users appear to come from the same IP). However if
    you check the HTTP_X_FORWARDED_FOR var in the header
    you will see my true IP and thus can limit things
    such as polls to one IP.
     
     

    string ispIPAddress;

    if(Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null || Request.ServerVariables["HTTP_CLIENT_IP"] != null)
               ispIPAddress = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
    else
               ispIPAddress = Request.ServerVariables["REMOTE_ADDR"];


    Taken from here (I am not an ASP.Net coder).

  • User profile image
    AndyC

    Manip wrote:

     and thus can limit things
    such as polls to one IP. 



    Wouldn't it be about a squillion times easier just to log the username that has voted in a poll rather than their IP?

    Okay, so people could register until multiple names but is that any less likely than them disconnecting and then re-connecting to get a new IP number if they're so desperate to vote again?

  • User profile image
    Manip

    At the moment they are not doing either. Just setting something in the cookie, thus making it a client side thing.

  • User profile image
    Arran

    Checking the IP is easy...but what about all those connections using dynamic assigned IP's?

    IMHO its a waste of time.

  • User profile image
    Manip

    'All those connections'? You mean you? ... My IP is dynamic, but hasn't changed in over a year and I could be IDed registering another account if I tried.

    I am not suggesting it as a full proof defence but it will stop the casual abuser and spammers (trolls) who might register multiple accounts to, for example, post religious propaganda.

     



  • User profile image
    Maurits

    Smilies gone bad...

  • User profile image
    Sven Groot

    My IP is dynamic, and seems to change every time I boot into Linux.

  • User profile image
    Maurits

    I should note that there are many ways to spoof mere headers in HTTP (X-Forwarded-For). Spoofing the connection IP is considerably more difficult.

    On the other hand if you have multiple users behind the same proxy (or proxy bank) then restricting connection IP isn't fair.

    On the whole, one-vote-per-username seems to be the fairest method of restricting polling... though it does require registration to vote...

  • User profile image
    Charles

    There is no guarantee that the x-forwarded-for request header data will be present just like there is no guarantee that client-ip data will actually represent the originating client as opposed to the proxy making the request on the client's behalf. As I've said, we do track IPs and IP data is not guaranteed to ensure that we know who you are. This is a hard problem that pretty much no web-based (client web browser-web server technology) has nailed.

    Yes, the poll is super easy to eploit. The question is, why exploit it? This is a social problem as much as it is a technological problem. "Gee. Other forums do this. And other forums do that...". 

    This is Channel 9. We like to think that a community can be responsible for and by itself. If you must exploit simple web features to make yourself happy, well, go do it somewhere else.

     

    Charles

  • User profile image
    AT

    LOL... Are you kidding ?

    Never trust your headers. Some evil people can fake it. 

    As well - in HTTP_X_FORWARDED_FOR can be more that one IP or in some rare cases - total garbage.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.