Unique identification of a certain computer

Question

hello everyone,

i have following scenario and can't seem to find anything on the net, or maybe i am looking for the wrong thing:

i am working on a webbased data storage system. there are different users and different places and only certain users are allowed to access certain parts of the system. now, we do not want them to connect to these parts from at home or with a different computer than they are using at their work-place (there are different reasons for that).

now my question is: if there is a way to have the work-place-pc identify itself to the server in some way over the browser, how can i do that? oh and yes, it is supposed to be webbased.

i hope i explained it so everyone understands. thnx for your replies in advance.

... dg

Answer 1

IP address. Not bombproof security but a start.

Answer 2

Since you're going web based you can:

Examine the remote host's IP Address (compare it against known internal subnets, etc)

During the authentication process, you can ping the remote IP and take a look at the TTL on the returned packets, if it's too low, then the computer can't be from the local network. (of course this can be broken, but it's just 1 more thing)

If you're doing it over IIS, then you can integrate into SSO (probably the best if you can do it)

Answer 3

If it's supposed to be web-based (and by that I mean that the web server should be able to uniquely identify the user's machine), then you choices are limited: per se, there's nothing you can obtain from the browser's headers or request body that allows you to identify the machine. I suppose this is by design, due to the obvious privacy implications.

There are choices though, none of which pain-free: you could use an ActiveX control, which however only runs on Windows (and not on all browsers I think) and requires elevated privileges. You could think of a Firefox plug-in (obviously Firefox only). At any rate, a plain-vanilla browser will otherwise escape identification.

Answer 4

There are only a few of REAL solutions to this. Here are a couple:

1. Use domain authentication, and disallow users who are connecting over a VPN.
2. Use known IP ranges to allow or disallow access.

Answer 5

I agree with Lenni... IP address is a possible solution if they are static or the DHCP server consistently assigns the same IP address to the same machine.

Alternatively, you might also consider authentication via "personal certificates" ... that's what they are referred to in Firefox, don't know it that's the standard name or not. (Obviously I haven't worked with these before.)

Basically they are SSL or PKI certificates that are installed on the client (user's) machine that identify that machine as being the machine it says it is -- that is, if the user tries to connect from a machine that doesn't have a certificate or doesn't have a certificate that you allow, you would deny them.

I don't know the issues around this ... it might be relatively easy for the same user to take the certificate off one computer and install it on another one with the correct password (i.e. it authenticates the user), or it might be keyed specifically to that machine somehow (i.e. it authenticates the machine). And a quick google search didn't turn up any obvious "how to" instructions on how it all works, but it might be worth looking into.

---Lawrence