What is the reliable approach to get the end user IP address from the server side?

I use JSP in server side and want to validate that, an user must not log in from two different IP addresses. What is the method to do this validation?

And some says that the client IP address may not be get from the server side because of some proxies involved. Then how the google and facebook are doing this? Will this be reliable i开发者_Go百科n production environmennt? please explain. Thank you !

Then how are Google and Facebook doing it?

They are probably using the X-Forwarded-For header that a lot of proxy servers add to the request on the way through.

This is only reliable to the extent that the proxies are telling the truth.

Well, getting the IP address is as easy as using ServletRequest#getRemoteAddr()

But as you've noted already, there is no way to get this reliably - if the client is using a proxy, the connection will appear to originate at that IP address. I don't believe Facebook or Google can get around this either - which is why you can access US only features (for example, Google Voice in Gmail) by logging in via a proxy/ssh tunnel that has a US IP address.

If you just want to stop a user from logging in from two different IP addresses simultaneously, all you need to do is track what IP address their current session (if one exists) originates from and either

• stop the second login attempt, or
• expire the first session

I'm not sure what value there might be in preventing a login from different IP addresses at different times since that's very likely going to happen with users who are travelling around or moving from network to network.