-
-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
determine the "real" ip of a user if possible #20
Conversation
use ipware for a more sophisticated attempt at the real users source IP address make Session.ip nullable because its possible that users provide none of the required headers
Hi @mwjackson thanks for your contribution. Could you explain why the user's IP address might be unknown? AFAIK the REMOTE_ADDR is always available. And secondly, it would rather not depend on external dependencies. However django-ipware looks nice, it should be optional. Not in the sense of adding configuration or something, but something like:
Offcourse, this would also require a small addendum to the documentation. Thanks! |
Hey there, Its not so much that REMOTE_ADDR isn't available, but that it can be misleading when behind corporate firewalls, proxies etc. Good idea to make it optional, I'll amend and re-submit. |
Another issue with |
Of course, there is no reliable way to determine an IP address using The point of ip-ware is to make a better guess than just using 1 header. So
|
I don't think one could "just as easily" spoof one's IP address. Once you're doing that, you can only send, but not receive. You would have no way of knowing your Django's session ID, other than receiving. In order to receive, the webserver must know your real IP address. Setting a header is rather straight-forward, and blind-sightedly relying on them is certainly not good. Come to think of it, looking up the user's IP address is highly dependent on your installation. Is there some proxy modifying the request? So, which header / environment variable will it use? The way django-ipware works is that it'll just grab anything from the request, regardless of it being provided by the user or the proxy. I'm inclined to reject this proposal and instead solely rely on REMOTE_ADDR instead. This wouldn't mean that looking up other headers is possible at all. Just include a middleware that sets REMOTE_ADDR to the designated header. In the case you don't care which header is used (strongly discouraged), write a middleware that uses django-ipware. |
use ipware for a more sophisticated attempt at the real users source IP address
make Session.ip nullable because its possible that users provide none of the required headers