If I have a website with a piece of java-script added on to the page - e.g. when a visitor clicks on a button - it sends a HTTP request to an external URL.
If the external URL (who receives this request) tries to check the IP address/host of where it came from -- Would this show the visitor's IP or the original website's IP?
If the request is sent from the client-side via JavaScript, it is a HTTP request send from the user's computer.
For this reason, the host will also see the public IP address of the user's computer. In this regard, it is very similar to the user simply copying the URL into the browser's address bar or to opening it via a click on a link on the web site.
Note that the result may vary though, e.g. if the request was routed through a proxy.
Related
I need to get the user's IP address from the browser. I know we can get device information from the browser with plain JS without any http requests involved (OS and browser info via User-Agent), but to get the IP address you need to make an HTTP request, as your browser will attaches the IP address as a header of the request so you can get it server-side or in the response of that request in the UI.
I am lacking some basic understanding and I can't see why an HTTP request is required and at what point the IP address is added as a header, if the browser doesn't know how does the header get attached?
I believe OSI_model is the basic knowledge you are looking for.
https://en.wikipedia.org/wiki/OSI_model
HTTP request is just the top layer of the whole network system.
The IP protocol is handled on (Layer 4)Transport Layer and it will not arrived to Application Layer(Layer 7).
The statement -- "your browser will attaches the IP address as a header of the request" is Wrong.
Normally the http request doest not carry source IP information in headers. You can view the https://en.wikipedia.org/wiki/List_of_HTTP_header_fields for normal headers.
But you are right that the sever side should figure out the client's IP. How can it achieve that?
In fact HTTP is an Application Layer protocol. The topic of source IP belongs to Internet layer.
The Internet protocol suite(TCP/IP) will solve that.
Meanwhile it means it's impossible to get your ip directly in browser. Moreover, sometimes it's even impossible to get your public ip address within your System.
For example the WiFi AP normally use DHCP to assign you an private ip only. And use NAT to modify your packets when you send/receive a request.
I'm using Javascript and XmlHttpRequest to POST to another URL on the same site. Users must be authenticated to access the page where the Javascript runs, but I need to submit the POST to the second URL as a non-authenticated user (to prevent the server from running code which is always run for authenticated users). Is there any way to submit the POST so that it appears to come from a non-authenticated user (so the server doesn't pull the user's authentication information from their session and treat them as authenticated for the POST)?
For example, is there a way to open a new session just for the POST, or to change the session ID just for the POST?
Note:
I tried to explicitly perform authorization using credentials for a non-existent user, but that didn't make any difference.
If this can be done using ajax instead of XmlHttpRequest, that's an acceptable solution.
Unfortunately this can not be achieved only in JavaScript, so you will have to make some changes on your server. You have two options:
Either you mark your session cookie as HttpOnly, so it won't be sent together with your request. But this will mean, that all your requests are sent as unauthenticated user.
Second option is use of a subdomain for this endpoint. Cookies are sent with XmlHttpRequests only on the same domain to prevent cross-site scripting. So if you move the server endpoint from www.example.com/myresource to api.example.com/myresource, the cookie will not be sent.
I am using asp.net. I have a public form that users can create new accounts on, that sends out a verification text message to the user's phone when they hit submit. I don't want spam bots sending out these text messages that cost me money by posing as users.
It is my "guess" that a spam bot or script has to screen scrape the html from the page and find the javascript function that will send this info out via ajax to an asp.net page that sends text messages out. It can't just call and execute the javascript in place and on my server like my javascript does with real users and button clicks, so instead it will execute on whatever server or computer their script is running on and insert the values it got from screen scraping and make a get request or post to the correct url, and that computer or server ip address that the script is running on should show up as the http referrer.
Is that true?
If so, then can I check the http referrer variable when my asp.net page that will send the text message out gets invoked? I'm thinking that if spam bots work the way I think, and they are actually executing a script that mimics the javascript calls on the page but they are not due to user clicks, the script would have to be executing on another server or domain.
Is that true?
And can a script spoof the http referrer variable?
The Referer header should not be used for anything whatsoever. Not only can it be spoofed by scripts (or any custom clients) as well as browsers (using browser extensions), but relying on it can also break your site for legitimate users using browsers. Some users use browser extensions to deliberately suppress the Referer header for privacy reasons, and even some proxies strip referer for security reasons.
See also In what cases will HTTP_REFERER be empty
I'm developing a web app using Express on Node. I'm trying to implement a proxy login functionality where an user is directly logged in and redirected to another site after he logs into to my site.
In my routing function I'm writing the following code
res.cookie('fanws', 'value' );
res.redirect('http://hostname/path'); // another site
I used the debugger in chrome and saw that the cookie is not getting added in the redirected page.
I'm running the app on localhost and the site which i'm redirecting to is hosted on another server on local network.
What should I do to add the cookie on the redirected path?
In a nutshell, you can't set a cookie in a browser or read a cookie for a site that you do not control the server for or have your own client code in that page. The cookie system is designed that way on purpose for security reasons. So, from a page or server for http://www.domain1.com, you cannot read or set cookies for some other domain.
If you have code in the pages of both domains, then you can pass some info to the second page (most likely as a query parameter) that tells the code in the redirected page to take some action (like set a cookie), but you must control the Javascript or server in that second page in order to be able to do that.
The cookie in your nodejs code goes on the current request/response which means it is associated with that domain in the browser when the response from the current request is processed by the browser.
res.redirect(...) returns a 302 response with a new URL as the response to the current request. The browser then sees this response code and makes a new web request to the new page. You cannot set cookies from the server for that new domain unless you have the server for that domain also. This is a fundamental aspect of cookie security. Cookies can only be accessed via Javascript in the browser from the page in the same origin as the cookie belongs and servers can only set cookies for the particular origin in the particular request that they are processing.
#jfriend00 nice explanation.
#Kiran G you can pass in query param in the same redirect, no need to set cookies in express just sent in query param as below.
i.e.
res.redirect(`http://hostname/path?fanws=${value}`);
I'm building an app where the user may occasionally make a search. I'd like to run the search through google, but I'm unsure in the event I have many users if i will hit google's search quota. Any individual user will not make more than one or two searches a day on the app. But cumulatively, it could potentially be much more.
Will doing client side retrival of a google query avoid this problem and not identify my server as the origin ip?
Yes, if you do a GET request from the client, the clients IP will be the source IP
Since you are doing a GET from the client's side, the TCP/IP connection is being opened by the client. So it would be the client's IP that the site would see as the requesting IP. However if you would like the site to see your IP instead, you can re-route the request via AJAX to your server, have your server do the GET and send the results asynchronously back to the client.