Magento2: "x_forwarded_for" value is always empty in Order object.

Created on 28 Oct 2016 · 8Comments · Source: magento/magento2

Developer branch used

Preconditions

This scenario i quiet difficult to reproduce since $_SERVER['HTTP_X_FORWARDED_FOR'] must be available.

Steps to reproduce

Place any order

Expected result

"x_forwarded_for" field must contain that value from $_SERVER['HTTP_X_FORWARDED_FOR']

Actual result

"x_forwarded_for" field is always empty

Thoughts

I've tried to find out why it happens.
I found that this field is never set directly to order. It could be copied from quote during conversion quote to order. However quote does't have such field in DB. The field is set to quote each time the quote is got from checkout session.
https://github.com/magento/magento2/blob/develop/app/code/Magento/Checkout/Model/Session.php#L280
But on order placement process quote is got not from session but from DB.
https://github.com/magento/magento2/blob/develop/app/code/Magento/Quote/Model/QuoteManagement.php#L325

Checkout distributed-cd Fixed in 2.3.x Clear Description Confirmed Format is valid Ready for Work Reproduced on 2.2.x Reproduced on 2.3.x bug report up for grabs

Source

ytorbyk

All 8 comments

@ytorbyk thank you for your report.
Please, update formatting of this issue as it is hard to read now.
Please, also identify which version of Magento you are running.

veloraven on 31 Oct 2016

@veloraven I apologize for the issue format. It's already updated.

ytorbyk on 31 Oct 2016

I guess #8203 is a duplicate of this. For some reason I didn't come up with this issue when I did a search initially. I diagnosed basically the same reasons for the problem and possible fixes. However there's also some incompatibilities with IPv6 addresses that should be addressed.

Silarn on 13 Feb 2017

Did anything ever come of this bug report?

zack6849 on 11 Apr 2017

👍1

@ytorbyk, thank you for your report.
We've acknowledged the issue and added to our backlog.

magento-engcom-team on 7 Mar 2018

For those of you who want to see their customer's actual IP addresses, as opposed to 127.0.0.1, and don't want to wait for Magento to fix this rather critical piece to help identify fraudulent orders, there is a simple solution:

https://dev98.de/2017/01/02/how-to-add-alternative-http-headers-to-magento-2/

jaywilliams on 9 Jan 2019

👍1

Hi @cmuench. Thank you for working on this issue.
Looks like this issue is already verified and confirmed. But if you want to validate it one more time, please, go though the following instruction:

[x] 1. Add/Edit Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

[x] 2. Verify that the issue is reproducible on 2.3-develop branch
Details
- Add the comment @magento-engcom-team give me 2.3-develop instance to deploy test instance on Magento infrastructure.
- If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
- If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and _stop verification process here_!
[x] 3. Verify that the issue is reproducible on 2.2-develop branch.
Details
- Add the comment @magento-engcom-team give me 2.2-develop instance to deploy test instance on Magento infrastructure.
- If the issue is reproducible on 2.2-develop branch, please add the label Reproduced on 2.2.x
[ ] 4. If the issue is not relevant or is not reproducible any more, feel free to close it.