Getting the client IP address: REMOTE_ADDR, HTTP_X_FORWARDED_FOR, what else could be useful


I understand it's a standard practice to look at both these variables. Of course they can easily be spoofed. I'm curious how often can you expect these values (especially the HTTP_X_FORWARDED_FOR) to contain genuine information and not just be scrambled or have their values stripped away?

Anyone with the experience or statistics on this stuff?

Is there anything else that can be useful for the task of getting the client's IP address?

Best Solution

In addition to REMOTE_ADDR and HTTP_X_FORWARDED_FOR there are some other headers that can be set such as:

  • HTTP_X_FORWARDED_FOR can be comma delimited list of IPs

I found the code on the following site useful: