Is it a way to add "IP Address" field in aspnet_Users, and then control it when user try to login?
There is a Comment property on the MembershipUser object. You can do it to do whatever you want (it is a string).
http://msdn.microsoft.com/en-us/library/system.web.security.membershipuser.comment.aspx
I have not heard of anyone doing this. Probably with good reason because it doesn't sound like a good idea for a web application.
Consider, many web clients have dynamically allocated IP addresses from their ISP and so their IP address changes all the time, also, if multiple clients are using the one proxy, then you will have non-unique records for IP address.
If you want to employ IPsec then consider using the server firewall or IIS rather than a membership provider.
Related
I am logging every user's IP when they access the company's page.
There are two ways to access the page from inside the local network:
http://company/webpage
and
https://webpage.company.com
What bugs me is that even when the users use the https global IP, their accesses are still recorded on database with their IP as 10.50.1.12 or 10.50.1.100.
Does that means that the browser or something else is redirecting the https://webpage.company.com to company/webpage? Or does that mean that I'm using a flawed method to log the users IP?
Another way to ask my question (just to make sure I'm being clear): if I'm accessing my Internet web page from inside the LAN network, am I effectively going outside my network and then back? If not, where am I going wrong with my logging?
Code used to log user's IP:
user.LastIP = HttpContext.Current.Request.UserHostAddress;
I'm curious about this because I want to make sure the users inside the company will access the page using exclusively the LAN Network. The goal is to save bandwidth usage, which is scarce.
Edit:
Pinging the https://webpage.company.com from inside the LAN network will result in a reply from a global IP address like 194.xxx.xxx.xxx. So I'm clearly getting the user's IP wrongly. What would be the ideal way of retrieving the IP from the page accessing entity?
Access to http://company/webpage will result in a DNS lookup of the host name "company". To resolve this, DNS will need a fully qualified domain name (fqdn), so it will add a top level domain (according to the configured search list in the client). In this example, it seems fair to assume that the fqdn will be "company.com". This, in turn, may very well resolve to the same IP address as the "webpage.company.com". You can check this by using dns lookup utilities like 'nslookup' and 'dig', or simply by using 'ping company' and 'ping webpage.company.com'.
The users IP addresses you mention, 10.50.1.12 and 10.50.1.100, seems to be the local IP addresses of the client hosts. I base this assumption on the fact that these IP addresses come from the RFC-1918 address range which is used for internal addresses. My guess is that these are the correct IP addresses, and that your logging works fine.
The users IP address you will log from accessing 'http://company/webpage' and 'https://webpage.company.com' should in most cases be the same. You can see it this way: it doesn't matter what the target URL is, traffic is still coming from the same host, the same IP address.
In any case, you most probably don't need to worry about any traffic leaving your local network.
I have a basic question about Ip addresses. I have signed up for an online class that says "I can only access it from your registered IP address".
Does that mean I can only access it from the network I was using during my registration or I can access it anywhere from the same device?
Have to know a bit more to know how strict that rule might be.
Tentatively - yes, your IP is unique to the network you were using during registration.
However, you can generally install a VPN service and use your registration network's IP anywhere if you need to get around that limitation.
I have a big wireless network, and I would like to know if there is a mechanism of assuring users legitimacy:
I have 10 access points in the company and all have the same WPA-PSK password. I want a mechanism for protecting users if anyone broke wireless encryption or stole the key from a legitimate user. I want to protect them from sniffing attacks .. and I want a mechanism to ban a sepcific user from the network even if he accessed the wireless network, I want him to be banned from accessing any network facility
I cant use radios servers, and does IpSec help me with my problem (preventing new attackers and stop a specific user) ?
In universities, they don't encrypt WLAN at all but use VPN for providing access. With this, intruders can only access WLAN but they can't do anything.
An enterprise WPA2 (cert based access) would probably work too, but your hardware has to support it. Search for 802.1x (it also works with wired networks if you have the right switches).
i need to find the remote users ip address using asp.net and also i need clarification whether multiusers have same ip address
thanks
Shakthi
Dim userIP As string = Request.UserHostAddress
Edit Caveat - the below is talking about an internet scenario. On a more limited (intranet) network, you may be able to assume a 1-1 User-IP Address mapping
Multiple users may appear to have the same IP address.
The same user may make two requests in a row from different IP addresses.
Whatever you're trying to do, using the users IP address for anything other than logging is probably pointless.
Am I able to depend on a requestor's IP coming through on all web requests?
I have an asp.net application and I'd like to use the IP to identify unauthenticated visitors. I don't really care if the IP is unique as long as there is something there so that I don't get an empty value.
If not I guess I would have to handle the case where the value is empty.
Or is there a better identifier than IP?
You can get this from Request.ServerVariables["REMOTE_ADDR"].
It doesn't hurt to be defensive. If you're worried about some horrible error condition where this isn't set, check for that case and deal with it accordingly.
There could be many reasons for this value not to be useful. You may only get the address of the last hop, like a load balancer or SSL decoder on the local network. It might be an ISP proxy, or some company NAT firewall.
On that note, some proxies may provide the IP for which they're forwarding traffic in an additional HTTP header, accessible via
Request.ServerVariables["HTTP_X_FORWARDED_FOR"]. You might want to check this first, then fall back to Request.ServerVariables["REMOTE_ADDR"] or Request.UserHostAddress.
It's certainly not a bad idea to log these things for reference/auditing.
I believe that this value is set by your web sever and there is really no way to fake it as your response to there request wouldn't be able to get back to them if they set there IP to something else.
The only thing that you should worry about is proxies. Everyone from a proxy will get the same IP.
You'll always get an IP address, unless your web server is listening on some sort of network that is not an IP network. But the IP address won't necessarily be unique per user.
Well, web request is an http connection, which is a tcp connection and all tcp connections have two endpoints. So, it always exists. But that's about as much as you know about it. It's neither unique nor reliably accurate (with all the proxies and stuff).
Yes, every request must have an IP address, but as stated above, some ISP's use proxies, NAT or gateways which may not give you the individual's computer.
You can easily get this IP (in c#) with:
string IP = Context.Request.ServerVariables["REMOTE_ADDR"].ToString();
or in asp/vbscript with
IP = request.servervariables("REMOTE_ADDR")
IP address is not much use for identifying users. As mentioned already corporate proxies and other private networks can appear as a single IP address.
How are you authenticating users? Typically you would have them log in and then store that state in their session in your app.