I hit a small gotcha this evening. A visitor to Developer Fusion reported that they couldn’t gain access to the site at all, because our IP address detection logic was failing. We were checking the “HTTP_X_FORWARDED_FOR” header for an IP address, before falling back to REMOTE_ADDR, turning the IP into a long integer, and doing an IP-to-country lookup in our database. Which seemed safe enough!
As it turns out, HTTP_X_FORWARDED_FOR can sometimes have a comma delimited list of IP addresses – so what we actually needed to be doing was take the last IP address in that list, before doing our conversion to an integer.
Thanks go out to Francois Botha, one of our visitors, for helping me track down this issue!