Fabulous Adventures In Coding

Eric Lippert's Blog

How To Obtain The Name Of The Client From The ASP Server

Here's a question about client side vs. server side scripting that I got recently:

I want to get the machine name of the client the request is being made from. With ASP I can get the IP address using this code: ipaddr = Request.ServerVariables("REMOTE_ADDR") But I don’t know how to get the name of the machine. Is there something I could do from the client side?

No, the web browser client cannot determine the name of the machine for two reasons.

First, if it could then the client could be instructed to send the name of the machine to an evil server. Evil hackers would love to have an internet web page that harvested intranet machine names that they could then attack. Knowing the name of a machine is particularly useful for social engineering attacks -- if someone phoned me up claiming to be from our IT department, I'd be a lot more inclined to believe them if they knew the names of all my machines.

Second, look at it from the other way.  Suppose the client magically figures out its name and sends it to the server.  Why should the server trust the client?  What stops an evil client from sending a bogus name to the server? Even if the client could send the name, the server can't make any decisions based on that name, so it's kind of useless.

Clients and servers should not trust each other.  In the absence of authentication evidence, clients must assume that all servers are run by evil hackers and servers must assume that all clients are run by evil hackers.  Once you accept that fundamental design principle then it becomes much easier to reason about client-server interactions. Think like an evil person!

Another developer who saw this question suggested running this code on the server:

name = Request.ServerVariables("REMOTE_HOST")

That's a good start but not the whole story. By default this doesn't actually give you the remote host -- it just gives you the IP address again. If you want this to actually give you the name of the remote machine then there's some additional work you have to do. Since we have the IP address then we can do a reverse DNS lookup to see if there is a friendly name associated with that address. Now the server is trusting not an arbitrarty client but rather a specific reverse DNS server.

Read this Knowledge Base article on how to configure your server to automatically do Reverse DNS lookups when the code above is called.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q245574

Note that this will make your server performance worse, and of course is not guaranteed to work if the client machine is disguising its identity via a firewall, etc.

Published Monday, May 09, 2005 12:18 PM by Eric Lippert

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Rob said:

In the past, I have used System.Net.Dns.GetHostByAddress(Request.ServerVariables("REMOTE_ADDR")) to retrieve the machine name for Intranet applications. In most cases, the machine name is retrieved, unless the user is connected over vpn.
May 9, 2005 1:17 PM
 

Dave said:

When I hear these kind of questions I always ask them to back up another step--why do you want the machine name? Often it's because they're trying to do something that either can or should be done differently. For example, a computer name is not unique so it can't be used (at least by itself) as a unique identifier.

So what DID he/she want it for?
May 9, 2005 4:04 PM
 

Eric Lippert said:

Oh yeah:

http://blogs.msdn.com/ericlippert/archive/2003/11/3.aspx

The question was from one of our product support guys, who was passing along a question from a customer. I never did find out what the customer was trying to do.
May 9, 2005 10:09 PM
 

Lalit Mohan said:

There is a way to get the Client Computer name. Try the following codes.

<%
Response.Write(Request.QueryString)
if Request.QueryString("param")= "yes" then
Response.write "getComputerName = " & getComputerName()
end if
Function getComputerName()
Dim sIP
Dim oShell, oExec, sCommand, sOutput
sIP = Request.ServerVariables("REMOTE_ADDR")
''watch for line wrap - begin
sCommand = "%comspec% /c @echo off & for /f ""tokens=2"" %q in ('ping -n 1 -a " & sIP & "^|find /i ""pinging""') do echo %q"
''watch for line wrap - end
Set oShell = CreateObject("WScript.Shell")
Set oExec = oShell.Exec(sCommand)
sOutput = oExec.StdOut.ReadAll
Set oExec = Nothing
Set oShell = Nothing
getComputerName = sOutput
end Function

%>


<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script type="text/vbscript">

</script>
</head>
<body>
<p><br>
 This is index.asp page for client computer name test </p>
<form name="form1" method="post" action="index.asp?param=yes">
 <input type="submit" name="Submit" value="Submit">
</form>
<p>&nbsp; </p>
</body>
</html>
July 20, 2006 1:56 PM
 

Darkz said:

Lalit, the code works like magic! Thanks mate!

December 28, 2006 8:22 PM
 

GDS said:

I wanted to know it for the purpose of IT Support on our company intranet. We use the computer name for a number of things including (but not solely) VNC.

Mostly, I need to know it because my manager told me I did!

February 22, 2007 6:16 AM
 

Rams said:

this is not working.

it returns ip address, not computer name.

March 9, 2007 4:48 PM
 

isomer said:

Lalit's code

Error Type:

WshShell.Exec (0x80070005)

Access is denied.

/super/GetUserID.asp, line 41

May 2, 2007 10:13 AM
 

NASA said:

Error Type:

WshShell.Exec (0x80070005)

Access is denied

June 5, 2007 4:49 AM
 

Roger said:

It works for me

Function getComputerName()

Dim oShell

Dim oExec

Set oShell = CreateObject("WScript.Shell")

Set oExec = oShell.Exec("hostname")

sOutput = oExec.StdOut.ReadAll

Set oExec = Nothing

Set oShell = Nothing

getComputerName = sOutput

end Function

June 20, 2007 12:28 PM
 

Gelo said:

you know what these codes will just excute the commands on the server and not on the clients pc...

i think i'm getting the conclusion of this and that is we can't get the computer name of the client pc.

June 29, 2007 1:04 AM
 

zuhair said:

this is not working at all, if that becuase i use free hosting?

any way, what type of information can i get from  machine, IP is not refernce to know who visit my site.

if thier code for that

thanks

October 4, 2007 6:31 PM
 

Alon said:

Nice..!!!

Work nice.

For all of you who got " Access is denied. "

you should verify that your iis_user has permission execute cmd.exe file.

you can copy it to root directory C:\Inetpub\wwwroot and trust permission to this file to be executable

February 9, 2009 11:34 AM
 

WellDuh said:

LOL - not good argument for why client names cannot be returned...

sort of silly to worry about given that they need to be inside the firewall already to exploit client names.

Worse client IPs are returned and if they are not RFC 1918  attackers do not need client hostname.

Client hostname is about as useful as RFC 1918 local IP...not useless

but easily forgone when you already have network access inside firewall & can scan

March 1, 2009 5:09 PM
 

WellDuh said:

Pretty sure there is a way for client side script to return the localhost environmental variable to server (Windows/Linux/OS X) but I am not coder. I was looking for example of coding myself for a bet.

March 1, 2009 5:13 PM

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required
Submit

About Eric Lippert

Eric Lippert is a senior developer on the Microsoft C# compiler team. Before that he worked on the framework of Visual Studio Tools For Office. Before that, he worked on the compilers, runtimes and tools for VBScript, JScript, Windows Script Host and other Microsoft Scripting technologies. He lives in Seattle and spends his free time editing books about programming languages, playing the piano, and trying to keep his tiny sailboat upright in Puget Sound.

This Blog

Syndication

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker