Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to restrict access to web application to one machine only?

Tags:

security

php

mysql

login

restrict

I need to make sure that every users accessing my web application can do that from one machine only, so 100 users would mean 100 machines. What would be the best solution? Is detecting and storing IP during first login good idea? I think IP might change even during lifetime of the session is that right? I was also thinking of storing cookie when user first logs in. Then assigning these cookie to the user, same as I do with password and username already, and every time when accessing application checking for presence of that cookie.

Please let me know what in your opinion would be the best solution. My backend is php/mysql if that matters.

EDIT: I need to clarify... This is in addition to normal session management. I need to restrict users to be able to login to web application from one specific machine only. So if user originally logged in from his computer at work and I stored its ip/cookie/etc., then client logs out (or even not), goes home and tries to login won't be able to do that. I agree its horrible idea but client insists :)

like image 369
spirytus Avatar asked Jul 06 '10 18:07

spirytus

2 Answers

IP address might change in the case of mobile clients, or clients that switch between wired and wireless networks. Your best bet would probably be to provide a randomly-generated UID to each client when it first connects (if it doesn't already have the cookie). Then you can check that the same username isn't connecting using two different UIDs.

The trick is that you need to make sure to time this UID out, so that if the user goes to another computer they aren't locked out. Perhaps one change to the UID is okay, but they can't go back to a UID that's already been used?

like image 163
Curtis Avatar answered Sep 22 '22 19:09

Curtis

You can limit to a single useragent by issuing the client with a client side SSL certificate created with the keygen element, this gets the browser to generate a key pair, keeping the private key in the user agent, then you receive an SPKAC, which you can use to openssl create a certificate, which you then send back to the user agent, it installs it and it can be used to identify the user in that specific browser only via HTTP+TLS from then on.

Anything else, simply won't work 100% - although you can hack ways that appear to work (until something goes wrong and it doesn't work) :)

like image 30
nathan Avatar answered Sep 25 '22 19:09

nathan
Sign in to Comment

Related questions

Adding rows to an array in PHP
Best way to structure AJAX for a Zend Framework application
How to write this loop prettier?
Php regular expression to match a div
Zend Framework: How to handle exceptions in Ajax requests?
Best Practice for Uploading Many (2000+) Images to A Server
Preventing server-side scripting, XSS
How to check a complex condition in Smarty(PHP)
Computing latitude longitude center point of a Polygon in PHP
Getting php tips and tutorials as daily emails to improve the knowledge in php programming
How to set file permission for linux host under windows?
Grammar checking API? [closed]
Adding metadata to PDF via PHP
Callbacks as part of a static member array
How to display time countdown using PHP and MySQL
Return values and exceptions for PHP functions
PHP Regex for IP to Location API
Escaping output safely for both html and input fields
How can I use C++ code to interact with PHP? [closed]
Wordpress REST API Slow Response time

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!