ASPFAQs.com
Your source for ASP-related frequently asked questions and answers!


4GuysFromRolla.com : ASP FAQS : The Nature of Things

Question: How can I determine the location of user by their IP, or validate the identity of a user based on his IP?

Answer: One question that is often asked on the ASPMessageboard is: "How can I determine where someone is located, by grabbing their IP, either so the page can be personalized for their state/country, or so that I can authenticate them, and make sure that they arenít giving away their username/password combo to my pay-to-use site?"

The answer is, You can (to some extent), and you can't. You can get the IP of a client requesting a page from your site using Request.ServerVariables("REMOTE_ADDR") on your page. If what you want is national, (or continental) distinction, that is fairly well mapped out.

If you want to get the countries that your users are coming from, there are several ways to do it. University of California at Berkeley maintains a database of every IP block, mapped to the countries that they have been assigned to by ARIN, RIPE, and APNIC. You can get a copy of this database, in CSV form, from http://geo-ip.com. If youíre handy with XMLHTTP, (For more information on the XMLHTTP component be sure to check out this FAQ.) you could query ARIN and co. directly, and get the information straight from the mouths, (or web sites, rather) of those who have assigned it. Cyscape, has also released, and updates on a regular basis a component, CountryHawk,
(http://www.cyscape.com/products/country/intro.asp) that will allow you to determine the country of origin of a given user, and in my opinon, is the easiest to use of any of the methods available to an ASP developer.

If you choose to use the REMOTE_ADDR server variable, you can be fairly certain that the IP that you recover accurately represents the nation of origin of that user. It is fairly uncommon for a user to be accessing the Internet from outside of the country that he is currently in, with a few notable exceptions, such as those who choose to surf though an anonymous proxy server, such as is discussed below. If, however, you want to get the state that a user is coming from, or authenticate the identity of a user, you're out of luck as far as any even remotely reliable method is concerned.

You see, IPs are assigned to users in a variety of different ways, and not all of these ways indicate the originating location of that user, or who the actual end user is. Many computers, particularly those that are networked, do not access the Internet directly. They use an intermediary, known as a proxy server. Say for instance, you have two workstations, with IPs of 192.168.0.2, and 192.168.0.3, and a proxy server with an IP of 211.58.61.10. If user 192.168.0.2 were to request a webpage, say, www.yoursite.com, that request will go to the proxy server, which will, in turn, query www.yoursite.com. Then, yoursite.com will get the page request from the proxy server (211.58.61.10) and will send the page back to that address, which will then determine that the page should be sent to 192.168.0.2. If 192.168.0.3 were to request that same page, the same sequence will occur. Yoursite.com will still get the page request from 211.58.61.10, (the proxy server IP) and then the proxy server, after again receiving the page from your server, will determine that this time, the contents of that page need to be delivered back to 192.168.0.3.

Even if you could see the originating machines, (though you now see that in this situation you canít) it would be useless, because most users in this sort of a scenario donít have a unique IP, if any IP at all! Because there are only a limited number of IPs, several blocks have been set aside as non-routable, for use in internal networks, and can be used by many, many networks at once. One of the blocks is the 192.168.x.x. This means, that there are probably hundreds, if not thousands of computers at any given moment that have been assigned the address of 192.168.0.1, or 192.168.0.2! There are also many large corporate networks, (although fewer than in the past) using Novell, or other NOSíes that donít even assign IPs to the clients, but instead uses the network cardís MAC address as the unique identifier. It would be pretty hard to get the IP of a computer that doesnít even have one!

Well you say, My users aren't corporate users, they are people dialing up from home. That's well and good, but corporate users are not the only network clients that utilize this kind of setup. AOL uses the same scheme! So, if you have two clients dialing-up via their AOL accounts, one from Minnesota, and one from California, you may very well see the same IP for both of them! You are, in fact, limited to only a few thousand IPs for all of AOL's thirty-plus million users. To confound you further, they will both appear to be residents of Reston, Virginia, because that is where all of AOL's proxy servers are located.

Another proxy issue, is that of anonymous proxies. Some people, for privacy reasons, choose to access the Internet through anonymous proxy servers such as the service offered by anonymizer.com, so that their travels around the Internet cannot be tracked. Regardless of the method by which they access the internet, the only IP that you will get will be the IP of the anonymous proxy server, which will resolve to the location of that proxy server, regardless of where the client is located.

A common follow-up question, once you have learned that you can't uniquely identify users by IP is: If I can't use an IP, how can I get the MAC address, and use that to identify clients? Again: You can't. The MAC address of the originating machine is only passed to the next point in the network connection, not to the end of the chain, along with the IP. (See RFC 1180 for a more detailed look at how this works.) In fact, if the client is using a modem and a dial-up connection, he doesn't even have a MAC address. Modems don't need them, because they utilize a point-to-point connection. They only time that you could strip the client's MAC address from the packets that the server receives, would be if the client was directly connected to the server with an Ethernet cross-over cable. You could also, most likely resolve an IP to a MAC address on a shared Ethernet LAN, but not on the Internet, via ASP.

To sum up, ASP, and in fact, the Internet itself are simply not designed to be able to provide absolute identification of users. If you really need to know the location of your users, the best way is ask them. I promise. If this way is good enough for the big boys, like MSNBC.com and CNN.com, it'll be good enough for your site.

Happy Programming!

FAQ posted by Xander Sherry at 1/8/2002 11:37:08 AM to the The Nature of Things category. This FAQ has been viewed 72,898 times.


Copyright 2014 QuinStreet Inc. All Rights Reserved.
Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers