I am using the following source code to get a client IP address,
Public Shared Function GetIPAddress() As String
Dim context As System.Web.HttpContext = System.Web.HttpContext.Current
Dim sIPAddress As String = context.Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If String.IsNullOrEmpty(sIPAddress) Then
Return context.Request.ServerVariables("REMOTE_ADDR")
Else
Dim ipArray As String() = sIPAddress.Split(New [Char]() {","c})
Return ipArray(0)
End If
End Function
But I have found that HTTP_X_FORWARDED_FOR
can be easily spoofed using X-FORWARDED-FOR HTTP header. Is it correct?
Can REMOTE_ADDR
also be spoofed? If yea then what can rely upon as a security point of view?
Note: My only concern with clients that are receiving the response, not the one that spoofed the IP at the TCP level and will not get the response.