How to collect actual IP Address of a User?


Article ID: 16246


Updated On:


CA Rapid App Security CA Advanced Authentication


We have an issue that the IP address presented to the Risk servers was always the IP address of the Traffic Managers or load balancer, rather than that of the user request. How to get the user's actual IP address when the web application is behind load balancer?


CA Risk Authentication - all versions


It is the responsibility of the web application to collect the client IP address and provide the same to CA Risk Authentication server during evaluateRisk() API call.

Below are some approaches that we can suggest to collect the same in your web application.

The end user accessing your online application might be a home user or might be accessing it from their corporate network. In case of latter category of users, chances are that they might be "hidden" behind a proxy server. As a result, the way you will collect the IP address of an end user who is accessing your online application from behind a proxy will be different from the user who accesses it directly from home.

If the end user is accessing your application directly, then you can use the getRemoteAddr() method of the HttpServletRequest interface in your JSP. This method returns a string that contains the IP address of the client that sent the request.

If there is load balancer/proxy in between, the web application can make use of "X_FORWARDED_FOR" header to collect actual client IP address.

For example, below is a sample for JSP based applications
String client_ip = request.getHeader("X-Forwarded-For");

Note: there may be many other ways possible, using which your application can collect actual end user's IP address.

Additional Information

Collect the IP Address of a User