How To Obtain The Name Of The Client From The ASP Server

How To Obtain The Name Of The Client From The ASP Server

  • Comments 15

Here's a question about client side vs. server side scripting that I got recently:

I want to get the machine name of the client the request is being made from. With ASP I can get the IP address using this code: ipaddr = Request.ServerVariables("REMOTE_ADDR") But I don’t know how to get the name of the machine. Is there something I could do from the client side?

No, the web browser client cannot determine the name of the machine for two reasons.

First, if it could then the client could be instructed to send the name of the machine to an evil server. Evil hackers would love to have an internet web page that harvested intranet machine names that they could then attack. Knowing the name of a machine is particularly useful for social engineering attacks -- if someone phoned me up claiming to be from our IT department, I'd be a lot more inclined to believe them if they knew the names of all my machines.

Second, look at it from the other way.  Suppose the client magically figures out its name and sends it to the server.  Why should the server trust the client?  What stops an evil client from sending a bogus name to the server? Even if the client could send the name, the server can't make any decisions based on that name, so it's kind of useless.

Clients and servers should not trust each other.  In the absence of authentication evidence, clients must assume that all servers are run by evil hackers and servers must assume that all clients are run by evil hackers.  Once you accept that fundamental design principle then it becomes much easier to reason about client-server interactions. Think like an evil person!

Another developer who saw this question suggested running this code on the server:

name = Request.ServerVariables("REMOTE_HOST")

That's a good start but not the whole story. By default this doesn't actually give you the remote host -- it just gives you the IP address again. If you want this to actually give you the name of the remote machine then there's some additional work you have to do. Since we have the IP address then we can do a reverse DNS lookup to see if there is a friendly name associated with that address. Now the server is trusting not an arbitrarty client but rather a specific reverse DNS server.

Read this Knowledge Base article on how to configure your server to automatically do Reverse DNS lookups when the code above is called.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q245574

Note that this will make your server performance worse, and of course is not guaranteed to work if the client machine is disguising its identity via a firewall, etc.

  • In the past, I have used System.Net.Dns.GetHostByAddress(Request.ServerVariables("REMOTE_ADDR")) to retrieve the machine name for Intranet applications. In most cases, the machine name is retrieved, unless the user is connected over vpn.
  • When I hear these kind of questions I always ask them to back up another step--why do you want the machine name? Often it's because they're trying to do something that either can or should be done differently. For example, a computer name is not unique so it can't be used (at least by itself) as a unique identifier.

    So what DID he/she want it for?
  • Oh yeah:

    http://blogs.msdn.com/ericlippert/archive/2003/11/3.aspx

    The question was from one of our product support guys, who was passing along a question from a customer. I never did find out what the customer was trying to do.
  • There is a way to get the Client Computer name. Try the following codes.

    <%
    Response.Write(Request.QueryString)
    if Request.QueryString("param")= "yes" then
    Response.write "getComputerName = " & getComputerName()
    end if
    Function getComputerName()
    Dim sIP
    Dim oShell, oExec, sCommand, sOutput
    sIP = Request.ServerVariables("REMOTE_ADDR")
    ''watch for line wrap - begin
    sCommand = "%comspec% /c @echo off & for /f ""tokens=2"" %q in ('ping -n 1 -a " & sIP & "^|find /i ""pinging""') do echo %q"
    ''watch for line wrap - end
    Set oShell = CreateObject("WScript.Shell")
    Set oExec = oShell.Exec(sCommand)
    sOutput = oExec.StdOut.ReadAll
    Set oExec = Nothing
    Set oShell = Nothing
    getComputerName = sOutput
    end Function

    %>


    <html>
    <head>
    <title>Untitled Document</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <script type="text/vbscript">

    </script>
    </head>
    <body>
    <p><br>
     This is index.asp page for client computer name test </p>
    <form name="form1" method="post" action="index.asp?param=yes">
     <input type="submit" name="Submit" value="Submit">
    </form>
    <p>&nbsp; </p>
    </body>
    </html>
  • Lalit, the code works like magic! Thanks mate!

  • I wanted to know it for the purpose of IT Support on our company intranet. We use the computer name for a number of things including (but not solely) VNC.

    Mostly, I need to know it because my manager told me I did!

  • this is not working.

    it returns ip address, not computer name.

  • Lalit's code

    Error Type:

    WshShell.Exec (0x80070005)

    Access is denied.

    /super/GetUserID.asp, line 41

  • Error Type:

    WshShell.Exec (0x80070005)

    Access is denied

  • It works for me

    Function getComputerName()

    Dim oShell

    Dim oExec

    Set oShell = CreateObject("WScript.Shell")

    Set oExec = oShell.Exec("hostname")

    sOutput = oExec.StdOut.ReadAll

    Set oExec = Nothing

    Set oShell = Nothing

    getComputerName = sOutput

    end Function

  • you know what these codes will just excute the commands on the server and not on the clients pc...

    i think i'm getting the conclusion of this and that is we can't get the computer name of the client pc.

  • this is not working at all, if that becuase i use free hosting?

    any way, what type of information can i get from  machine, IP is not refernce to know who visit my site.

    if thier code for that

    thanks

  • Nice..!!!

    Work nice.

    For all of you who got " Access is denied. "

    you should verify that your iis_user has permission execute cmd.exe file.

    you can copy it to root directory C:\Inetpub\wwwroot and trust permission to this file to be executable

  • LOL - not good argument for why client names cannot be returned...

    sort of silly to worry about given that they need to be inside the firewall already to exploit client names.

    Worse client IPs are returned and if they are not RFC 1918  attackers do not need client hostname.

    Client hostname is about as useful as RFC 1918 local IP...not useless

    but easily forgone when you already have network access inside firewall & can scan

  • Pretty sure there is a way for client side script to return the localhost environmental variable to server (Windows/Linux/OS X) but I am not coder. I was looking for example of coding myself for a bet.

Page 1 of 1 (15 items)