tags:

views:

120

answers:

6
+1  Q: 

How to restrict access to web application to one machine only?

I need to make sure that every users accessing my web application can do that from one machine only, so 100 users would mean 100 machines. What would be the best solution? Is detecting and storing IP during first login good idea? I think IP might change even during lifetime of the session is that right? I was also thinking of storing cookie when user first logs in. Then assigning these cookie to the user, same as I do with password and username already, and every time when accessing application checking for presence of that cookie.

Please let me know what in your opinion would be the best solution. My backend is php/mysql if that matters.

EDIT: I need to clarify... This is in addition to normal session management. I need to restrict users to be able to login to web application from one specific machine only. So if user originally logged in from his computer at work and I stored its ip/cookie/etc., then client logs out (or even not), goes home and tries to login won't be able to do that. I agree its horrible idea but client insists :)

+1  A: 

Don't do that. Many people will access your website from multiple computers, and they will complain if you block them.

mcandre  2010-07-06 18:53:46
Yes, why in the heck would you do this...??
Zak  2010-07-06 20:03:26
I think sometimes, even if you don't agree with what they're asking for, you've got to assume there are reasons. In this case, it's stated that it's a Client's request (via an edit). The question isn't whether or not they should, it's how they could do it. Plus, it's an interesting one to think about. It defies the very concept of web based applications in some regards (defying the distributed nature by restricting individual users to individual machines) but it at least could be an interesting challenge
Brendan Bullen  2010-07-06 21:44:40
If a client asked how best to jump off a bridge, should I post "using your feet?"
mcandre  2010-07-07 13:09:14
There's a difference between a discussion with a Client and a developer simply relaying a Client's wishes. If a Client is hell-bent on doing something crazy and is paying the developer to do it, why shouldn't he reach out and ask "How?"
Brendan Bullen  2010-07-07 22:03:10
Asking questions here is part of my research so I could explain to client all possible implications. As I said I agree its horrible idea but "don't do that" is very unlikely to help my cause. Also see no reason why client would ever ask me how to best jump off the bridge.
spirytus  2010-07-11 23:19:53
Haha! No, of course they wouldn't--if they understood how restricting access to one machine is like jumping off a bridge.
mcandre  2010-07-12 16:12:53
+4  A: 

IP address might change in the case of mobile clients, or clients that switch between wired and wireless networks. Your best bet would probably be to provide a randomly-generated UID to each client when it first connects (if it doesn't already have the cookie). Then you can check that the same username isn't connecting using two different UIDs.

The trick is that you need to make sure to time this UID out, so that if the user goes to another computer they aren't locked out. Perhaps one change to the UID is okay, but they can't go back to a UID that's already been used?

Curtis  2010-07-06 18:54:20
+1: Only way to know is by checking to see if the user is already logged in.
OMG Ponies  2010-07-06 18:58:04
A: 

The best solution is already built into the web server depending on which one you are using. That's what the Sessions are for. In ASP.NET/IIS, usually there is a 20minutes per session timeout.

So if a user uses another computer to access your webapplication, then the session timeout will release connection from the machine that is idle.

UPDATE

You might want to consider restricting user by the MAC Address of their machines which are unique.

SoftwareGeek  2010-07-06 18:57:34
MAC addresses are NOT sent to the server by the browser
sri  2010-07-06 20:50:25
They're also not guaranteed to be unique. I've seen some old SUN boxes that let you set the MAC by DIP switch, of all things.
Curtis  2010-07-06 21:07:38
Ok, you can use ActiveX for IE or develop a plugin for other browsers like firefox/safari/chrome that could read MAC addresses.
SoftwareGeek  2010-07-08 00:47:01
A: 

Unfortunately, an IP is not machine-specific for multiple reasons:

  1. The IP address could change during the session, with no notice (the user might not even be aware of it)
  2. Most users have dynamic IP, so it most definitely will change at some point
  3. For machines such as a laptop, tablet or cell phone, the IP address is based on the current service provider
  4. All users behind a proxy would appear to you as a single IP, so you still wouldn't be able to detect if they moved from one machine to another

Instead, generate some kind of unique key for the session and track it in combination with the user name. Prevent them from logging in if the same user name is already in another active session. (You'll also want some way to automatically flush these, just in case you lose the session-end event.)

GalacticCowboy  2010-07-06 18:58:29
This could be an internally based application. If it's a system running on a single domain. The IPs will be more predictable but still not unique (depending on the lease the IPs get)
Brendan Bullen  2010-07-06 21:47:13
A: 

You can limit to a single useragent by issuing the client with a client side SSL certificate created with the keygen element, this gets the browser to generate a key pair, keeping the private key in the user agent, then you receive an SPKAC, which you can use to openssl create a certificate, which you then send back to the user agent, it installs it and it can be used to identify the user in that specific browser only via HTTP+TLS from then on.

Anything else, simply won't work 100% - although you can hack ways that appear to work (until something goes wrong and it doesn't work) :)

nathan  2010-07-06 20:49:00
A: 

If it is a very internal application that will be used only inside a company, it might be possible to define an IP range because smaller companies which do not operate worldwide will probably have a certain amount of IPs from their internet access provider.

You could also think about using some info from $_SERVER to restrict users to a combnation of a single web browser (HTTP_USER_AGENT) and a single port (REMOTE_PORT) - as an additional way to differentiate machines.

But all these solutions are bad or worse, it's technically probably not possible to solve this problem (unless you will have guarantees from your client that all machines will keep a static IP in which case it is a trivial if else problem).

Richard Knop  2010-07-07 08:04:39

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL