Fabulous Adventures In Coding
Eric Lippert is a principal developer on the C# compiler team. Learn more about Eric.
Here's a question about client side vs. server side scripting that I got recently:
I want to get the machine name of the client the request is being made from. With ASP I can get the IP address using this code: ipaddr = Request.ServerVariables("REMOTE_ADDR") But I don’t know how to get the name of the machine. Is there something I could do from the client side?
No, the web browser client cannot determine the name of the machine for two reasons.
First, if it could then the client could be instructed to send the name of the machine to an evil server. Evil hackers would love to have an internet web page that harvested intranet machine names that they could then attack. Knowing the name of a machine is particularly useful for social engineering attacks -- if someone phoned me up claiming to be from our IT department, I'd be a lot more inclined to believe them if they knew the names of all my machines.
Second, look at it from the other way. Suppose the client magically figures out its name and sends it to the server. Why should the server trust the client? What stops an evil client from sending a bogus name to the server? Even if the client could send the name, the server can't make any decisions based on that name, so it's kind of useless.
Clients and servers should not trust each other. In the absence of authentication evidence, clients must assume that all servers are run by evil hackers and servers must assume that all clients are run by evil hackers. Once you accept that fundamental design principle then it becomes much easier to reason about client-server interactions. Think like an evil person!
Another developer who saw this question suggested running this code on the server:
name = Request.ServerVariables("REMOTE_HOST")
That's a good start but not the whole story. By default this doesn't actually give you the remote host -- it just gives you the IP address again. If you want this to actually give you the name of the remote machine then there's some additional work you have to do. Since we have the IP address then we can do a reverse DNS lookup to see if there is a friendly name associated with that address. Now the server is trusting not an arbitrarty client but rather a specific reverse DNS server.
Read this Knowledge Base article on how to configure your server to automatically do Reverse DNS lookups when the code above is called.
Note that this will make your server performance worse, and of course is not guaranteed to work if the client machine is disguising its identity via a firewall, etc.
Lalit, the code works like magic! Thanks mate!
I wanted to know it for the purpose of IT Support on our company intranet. We use the computer name for a number of things including (but not solely) VNC.
Mostly, I need to know it because my manager told me I did!
this is not working.
it returns ip address, not computer name.
Access is denied.
/super/GetUserID.asp, line 41
Access is denied
It works for me
Set oShell = CreateObject("WScript.Shell")
Set oExec = oShell.Exec("hostname")
sOutput = oExec.StdOut.ReadAll
Set oExec = Nothing
Set oShell = Nothing
getComputerName = sOutput
you know what these codes will just excute the commands on the server and not on the clients pc...
i think i'm getting the conclusion of this and that is we can't get the computer name of the client pc.
this is not working at all, if that becuase i use free hosting?
any way, what type of information can i get from machine, IP is not refernce to know who visit my site.
if thier code for that
For all of you who got " Access is denied. "
you should verify that your iis_user has permission execute cmd.exe file.
you can copy it to root directory C:\Inetpub\wwwroot and trust permission to this file to be executable
LOL - not good argument for why client names cannot be returned...
sort of silly to worry about given that they need to be inside the firewall already to exploit client names.
Worse client IPs are returned and if they are not RFC 1918 attackers do not need client hostname.
Client hostname is about as useful as RFC 1918 local IP...not useless
but easily forgone when you already have network access inside firewall & can scan
Pretty sure there is a way for client side script to return the localhost environmental variable to server (Windows/Linux/OS X) but I am not coder. I was looking for example of coding myself for a bet.