Why are there so many forwarding headers?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • NoComment
    New Member
    • Jun 2007
    • 16
    #1

    Why are there so many forwarding headers?

    Hi there!

    I have found that there are a lot of $_SERVER variables accessible within a PHP script, that allow "access" to the HTTP header sent by the client. According to http://www.adamek.biz/php.php, the following can be used:

    $HTTP_VIA
    $HTTP_CLIENT_IP
    $HTTP_PROXY_CON NECTION

    The above are pretty clear and I have no problems with them... but then:

    $HTTP_X_FORWARD ED_FOR
    $FORWARDED_FOR
    $X_FORWARDED_FO R
    $X_HTTP_FORWARD ED_FOR
    $HTTP_FORWARDED

    Now my question is, why in the world are there so many "FORWARDED" headers? Wouldn't ONE variable/header line suffice? Or were the PHP/RFC guys a bit bored and tried to come up with a nice solution to confuse innocent developers? :P

    I have googled for all of those, but opinions seem to differ on what header line should be taken into account and what header line shouldn't.

    So,
    1) Why are there so many possible headers? Are some of them obsolete?
    2) What is the difference between those headers with a 'X' and those which lack the 'X'?
    3) What is the difference between "FORWARDED_ FOR" and just "FORWARDED" ?

    Thanks in advance for any help!!! :)
    Tags: None
    • pbmods
      Recognized Expert Expert
      • Apr 2007
      • 5821
      #2
      Changed thread title to better describe the problem.

        Comment

        • Atli
          Recognized Expert Expert
          • Nov 2006
          • 5062
          #3
          I couldn't find any references to those constants on php.net
          If they exist, I would assume they have been deprecated and I'd advise against using them.

          You can check out a list of predefined variables here at php.net

            Comment

            • NoComment
              New Member
              • Jun 2007
              • 16
              #4
              Originally posted by Atli
              I couldn't find any references to those constants on php.net
              If they exist, I would assume they have been deprecated and I'd advise against using them.

              You can check out a list of predefined variables here at php.net
              Thank you for your answer.

              I have found some additional information about them: those headers are apparently sent by some proxies (see http://www.jhurliman.o rg/index.php/category/php/). My guess is that the reason why the don't show up on php.net is that they are not official, yet almost every non-elite proxy is using them. So you might need them to log IPs, although they are not official.

              Here's a copy of an interesting email of probably an ISP:
              We are unable to investigate this incident because your access logs have recorded one of our network cache servers, and not the client IP.

              ntl use proxy servers to speed up browsing and reduce bandwidth costs to our upstream supplier, but we also ensure that each users public IP address is broadcast along with the server address.

              If you are able to add the following variables to your cgi recording script or pass this information to your web host, future abuse of your network via proxy servers should correctly record the client IP.

              HTTP_CLIENT_IP
              HTTP_X_FORWARDE D_FOR
              which can be found here: http://forums.invision power.com/lofiversion/index.php/t176021.html

              Anyone has an idea on why they are so many other, similar headers and what their meaning is?

                Comment

                • Atli
                  Recognized Expert Expert
                  • Nov 2006
                  • 5062
                  #5
                  Based on the links you gave us, those headers are sent by proxy servers in an attempt to forward the IP address of the original client, rather than the IP of the server itself.

                  So essentially, all of those headers are meant to pass the same data, but because of a lack of standardization each proxy is using it's own specific header, which is the reason why there are so many of them.

                  If you want to use them in your script you will have to develop a method of finding which one of them is actually being used, if any.

                    Comment

                    • NoComment
                      New Member
                      • Jun 2007
                      • 16
                      #6
                      Okay, this sounds like a reasonable approach. I have thought something similar to that before, just wasn't sure if there was "more to it" than just lack of standardization .

                      Thanks for your answer. :)

                        Comment

                        Previous template Next
                        Working...