I need help with IP tracking when documents are viewed through Google’s document viewer. Right now I’m comparing user IP addresses stored in my database with their current IP when they access files. The problem is that when someone views a document through Google’s viewer, I get Google’s server IP instead of the actual user’s IP address. This makes it impossible to verify if the same person is accessing the file. Has anyone found a way to get the real user IP in this situation? I’m trying to add security to prevent unauthorized file access.
Indeed, this is a common challenge with the Google document viewer since it acts as an intermediary, showing the IP of its servers instead of the user. I faced a similar issue previously while developing a secure document sharing system. My solution was to switch from IP tracking to session management. By utilizing temporary signed URLs linked to user sessions, I enhanced security without leaning on unreliable IP addresses. Also, while it’s possible to capture the user’s IP via JavaScript before directing them to the viewer, it requires altering your existing flow. Additionally, do consider that reliance on IP addresses is often fraught with issues such as NAT and dynamic assignments. Exploring methods like document watermarking could further safeguard your files.
Google’s document viewer acts as a proxy, which completely breaks IP-based authentication. I ran into this at my company and we had to ditch IP verification entirely for documents accessed through the viewer. What worked for me was using time-limited tokens that expire after a set time, plus user agent fingerprinting for extra validation. You could also serve documents directly from your app instead of using Google’s viewer, but then you’re stuck handling multiple file formats yourself. Another approach is only using Google viewer for less sensitive docs while keeping direct downloads with IP verification for the important stuff. Bottom line - any proxy-based viewer will give you this same headache.
yeah, google viewer’s ip limitation is super annoying. i got around it by combining multiple checks instead of relying on ip alone. now i track browser fingerprints and session tokens together. i also added a js snippet that grabs the real user ip before the viewer redirect, then cross-reference everything later. not foolproof, but way better than before.