Why do some web services require the client to send its IP address? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.

Closed 9 years ago.

Improve this question

As an example, see the reference documentation for one of paypal's APIs:

http://www.paypalobjects.com/en_US/ebook/PP_NVPAPI_DeveloperGuide/Appx_fieldreference.html#2824913

The开发者_JAVA技巧 question is, why do they need it? Doesn't the server get it as part of the HTTP protocol?

UPDATE: Just realized the example I gave wasn't so good. I'm talking about instances where the client is talking directly to the web service. I'll close the question.

---

I'm not sure about PayPal specifically, but one use case for a service requiring the client's IP is that the server needs to do fraud detection (too many requests coming from the same end user), but the source IP in the packet comes from an aggregator of end user actual IPs. Perhaps the aggregator has NATted clients behind it (possibly mobile devices, who knows). The server will want the aggregator to send it the IP of its clients.

There may be other cases; this is the only one I know of.

---

They want to be able to identify the end user, usually to protect both you and them from abuse - both to detect fraud attempts (too many requests coming from the same IP) and to be able to find the culprit after the fact (in case of criminal activity, ISPs in many countries are required to reveal user information based on an IP to the investigating authorities).

Of course you could do the logging yourself, but considering the general state of security awareness on the internet, I understand that they're not trusting you to do it well enough.