[MSHOP-136] Store real customer IP address in shopping carts Created: 17/Apr/14  Updated: 16/Mar/23  Resolved: 16/Mar/23

Status: Closed
Project: Magnolia Shop (closed)
Component/s: None
Affects Version/s: 1.1.4
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Edgar Vonk Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Screen Shot 2014-04-17 at 10.58.52.png    
Template:
Patch included:
Yes
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

In the current Worldsteel Shop Module the stored shopping carts do not include the real customer IP address for our (and most) real-world production environments. See screenshot.

The reason is that the the module uses HttpServletRequest#remoteAddr() to get the IP address and in any real-world hosting environment this is typically not the customer's external IP address but rather an internal server's IP address. In our case it is always 127.0.0.1.

The real customer IP address (or actually: a comma-separated list of IP addresses) is commonly stored by infrastructure components such as load balancers in the X-Forwarded-For HTTP request header. In order to use this header, if available, I suggest to replace the following code in SaveAndConfirmFormProcessor#internalProcess:

cart.setUserIP(request.getRemoteAddr() + ":" + request.getRemotePort());

by:

      String userIPAddress;
        // note: in most hosting environments HttpServletRequest#remoteAddr() gives the internal IP address of the request
        // (e.g. 127.0.0.1) and not the external IP address of the user.
        // The user's external IP address is commonly placed in the X-Forwarded-For HTTP request header so check for that.
        String xForwardForHeader = request.getHeader("X-Forwarded-For");
        if (null != xForwardForHeader) {
          userIPAddress = xForwardForHeader;
        } else {
          userIPAddress = request.getRemoteAddr();
        }
        cart.setUserIP(userIPAddress + ":" + request.getRemotePort());

Do you agree? And if so, could you add it to the code base?

In our project we could override the SaveAndConfirmFormProcessor#internalProcess and implement this ourselves but I would rather not because it is a complex method. Besides, this addition would benefit all users I think.

Do note that this is a little hard to test because for a real test you need an environment where the X-Forwarded-For header is actually set.



 Comments   
Comment by Adam Jones [ 16/Mar/23 ]

Closing due to project being archived.

Generated at Mon Feb 12 07:09:40 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.