Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Best way to detect client location country on indy http server
#1
Hi,
I am working on an app that will work on desktop and mobile, I want to limit the access for users to a certain country for example "Egypt". Now what is the most secure way to do so, the service will use tokens and HTTPS and everything else that will secure it. But what I am asking is which one of the following is best:

1- Get the location on client side and send the lat, lang or country code like "EG" in an http header.
2- Detect the location on server side only on logins via client IPs (I don't know how to do this? I believe there is a service that can get you the location from IP, but I know that IP addresses sent to server are not the real ones and I don't know if they really point to the client location or not)
3- Let's say Option 2 is the correct way should validate the location with each request or just at login as I said?
Thanks in advance any help will be appreciated
Reply
#2
IP address is the most reliable but users can use VPNs to hide their locations.
Reply
#3
(01-17-2021, 02:41 PM)Ahmed Sayed Wrote: I want to limit the access for users to a certain country for example "Egypt".

You won't be able to do that, not reliably anyway.

(01-17-2021, 02:41 PM)Ahmed Sayed Wrote: Now what is the most secure way to do so

There isn't one.

(01-17-2021, 02:41 PM)Ahmed Sayed Wrote: But what I am asking is which one of the following is best:

None of them.

(01-17-2021, 02:41 PM)Ahmed Sayed Wrote: 1- Get the location on client side and send the lat, lang or country code like "EG" in an http header.

That would allow malicious clients to lie about their location. It also would not work for legitimate clients that use GPS's that report faulty locations (I've seen cases where my own phone's GPS reported my location clear across town from where I really was - GPS is decent most off the time, but it is not infallible).

(01-17-2021, 02:41 PM)Ahmed Sayed Wrote: 2- Detect the location on server side only on logins via client IPs (I don't know how to do this? I believe there is a service that can get you the location from IP, but I know that IP addresses sent to server are not the real ones and I don't know if they really point to the client location or not)

Yes, there are services that can approximate geographical location based on IP. But, if a client connects to your server via a VPN/proxy, the IP will not belong to the client, and so you won't be able to get a reliable location from the IP alone.

(01-17-2021, 02:41 PM)Ahmed Sayed Wrote: 3- Let's say Option 2 is the correct way should validate the location with each request or just at login as I said?

HTTP is a stateless protocol. The TCP connection may be dropped in between multiple requests from the same client. It is not ideal, but it is possible. So, your server would have to be prepared to re-validate the location on every single request. What you could do is validate the location on a new connection/login, and then cache the result in a session-only cookie. If a subsequent request does not include that cookie, re-validate and issue an updated cookie. Invalidate the cookie when the session is finished. But there is no guarantee that a client will send back the cookie, so again you are back to having to be prepared to re-validating on every single request.

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)