requestip does not work

RichardWatson · ‎10-20-2013

I have an application that uses ArcGIS Online programmatically. This means that it needs to generate tokens. There are 2 ways that I do that. The first way is using OAuth2 when I have the ability to interact with the user. The second way is provide the username and password myself and I use this technique when doing integration testing.

Last week, I noticed that one of my tests was failing. The failure occurred when ArcGIS Online returned an error message that my token was invalid. That made no sense to me because there is no way that it could have expired because it was generated when the test started. Using Fiddler, I finally figured out that the failure occurs when the server responding to the request changes. You can see that by looking at the request properties (via the context menu). That was insightful. I believe that the problem was that the other server did not believe that the sender was correct.

When I generated the token, I told ArcGIS Online that the referer was "requestip". That meant that it was supposed to figure out my IP address. The token worked fine so long as the responding server did not change. In this case I was polling using a status request waiting for some asynchronous action to complete.

The way that I resolved this problem was to abandon using requestip and used some random website URL as the referer. I have a centralized class that creates an HttpClient for me so now it generates one that always has this information in the header.

The bottom line here is that you should not use requestip in conjunction with ArcGIS Online.

nicogis · ‎10-21-2013

Hi Richard, are you sure that see IP correct? Peraphs in request token arcgisonline see an IP and in check token see another ip.

RichardWatson · ‎10-21-2013

I do know that my IP address is private, i.e. not fixed but privately assigned, as would be the case for most of the world.

Here is an example of the FLAGS, as seen by Fiddler, used when communicating with ArcGIS Online:

SESSION STATE: Done.
Response Entity Size: 8482 bytes.

== FLAGS ==================
BitFlags: [ClientPipeReused, ServerPipeReused, LoadedFromSAZ] 0x218
X-EGRESSPORT: 50266
X-RESPONSEBODYTRANSFERLENGTH: 8482
X-CLIENTPORT: 50265
X-CLIENTIP: 127.0.0.1
X-SERVERSOCKET: REUSE ServerPipe#6
X-HOSTIP: 50.19.238.218
X-PROCESSINFO: arcmap:9028
UI-COMMENTS: [#10]

I believe that this says that my address is 127.0.0.1 (which I believe is localhost/loopback) and that the server address is 50.19.238.218.

requestip should get my IP address, which is typically not very unique because of the above. What I don't understand is why one server would see one thing and another see something different. Perhaps ESRI is also looking at other information if the address is the loopback address?

nicogis · ‎10-21-2013

see this http://stackoverflow.com/questions/9726576/system-web-httpcontext-current-request-userhostaddress

RichardWatson · ‎10-21-2013

Domenico,

Thanks for the reply.

I suspect that I missing the point that you are making here. I do understand that there are a number of 'tricks' that developers use in order to try and find the real IP address of the client. I think that the additional security checks by ArcGIS are actually not very useful because any request can send anything so it is not very difficult to lie.

In my case, I simply told ArcGIS Online to use my IP address. That worked until the server (which is part of ArcGIS Online and not an on premise server) changed (which is beyond my control). This seems to tell me that you cannot reliably use requestip in conjunction with ArcGIS Online.

Do you agree or am I missing something here?