Page 1 of 1
anybody can be of some help...will u help me?
Posted: Sat Dec 13, 2003 9:20 am
by crazytopu
Hi guys,
Just read it, I am sure you wouldn’t leave it unanswered.
Okay here it my problem: I wanna develop a small application using HTML,PHP and MySQL that will be used to record Employee’s check-in and check-out time in an organization.
Right at the moment employees do sign their name on the registry-book and put the time on their arrival and at the end of the day write their departure time. They do so in presence of a management staff. The job of the management staff is to check against any cheating.
I am personally interested to put a system in place, which will not require the presence of a management staff. An automated system sounds great. I will put a simple form based application in the front-desk PC, and employees will sign in once they arrive. The will use their user name and password in the form and click on the “Check-in” button. The server connected with the front desk pc will keep record of the time for each user.
But here I see a problem. I understand this automated system does not require any staff in presence and there is no chance to entry the arrival or departure time wrong as the server reads its system time automatically as soon as the check-in button is clicked. However, one employee can still be able to cheat on behalf of his colleagues. How? Well, as you can see, the use of user name and password has a usages limitation and it’s solely meant to be used in this system. So there is no such security implication if employees do share their user name and password among themselves.
I know optical reader or stuff like that but it would be very expensive for this organization to go for any such sophisticated means.
Does anybody have any idea how to solve this problem?
Posted: Sat Dec 13, 2003 9:39 am
by igoy
do they have their own PC's ?
off course it doesn't seem so but still being clear.
well, i really can't think of anything else but optical readers or fingerprint recognizer.
what without them you can do is, allow only two logins per day.
you can store login count in mysql db so that user can login only twice a day also checkout / checkin buttons won't be accessible if they are already clicked for that perticular day. something like that,
I'm really sorry, as this is not really a solution for your problem.
not to discourage you, but I'm a firmly belive that...
There is not security that cannot be breached.
ur solution has a drwaback...
Posted: Sat Dec 13, 2003 10:18 am
by crazytopu
hi,
thans for your reply. At least you tried to come up with a solution. I appreciate it. But it has some apparent drawback as you noticed that too i guess.
Lets say you would be late to join office and asked your colleague to check in on behalf of you.
Since no staff is there from the management side to check it, your colleague gets the front desk PC unsecured and takes the advantage of it. He first will check in using his user name and password, if I apply any such option which will allow only two log in each day against any such user..it does not prevent him from doing that favor to you. Coz your account is still open to use the 2 log in system –since nobody checks in using ur account for that day .So, your colleague can easily log in on behalf of you once he is done with his one.
U got it now? So when u will show up you don’t have to check in coz u r already checked-in. and you just walk in straight way no matter if you are 30 min late!!!!
It’s a small organization, so cant afford a full time staff to look after it.
Some of the employees have their own PCs and it’s connected to the server. Does it make any difference if they all have their own PC?
Posted: Sat Dec 13, 2003 10:28 am
by igoy
Yeh Topu, I did thought of that too, but since nothing else was coming to my mind, I let it be on Post.
well, everyone having a PC does makes a difference.
You see, everyone will have to login to system once they come from THEIR pc, you can check their IP with username / password.
this cannot be a permanent solution again, but to some extent we forward in finding solution.
Wow! can you explain a bit futher?
Posted: Sat Dec 13, 2003 10:40 am
by crazytopu
Thank you so much again. I am getting interested to see that there is a way..at least some ray of hope!!!
So, could you please expand on the IP based thing? The network is running and managed by a win 2k server, and all other workstations are running under win2k professional.
When a user type a user name and password to log in to his pc how might I be able to store that info and their log in time in a database?
The network has an active directory that controls the domain under which all PCs are assigned.
Please shed some more light
Take care,
Posted: Sat Dec 13, 2003 12:02 pm
by igoy
well, let's say Mr. John uses Comp A, which has an IP address (10.10.0.5). Miss Linda uses Computer B (IP : 10.10.0.2)
Now this PHP proggy works on our server, When user logs in, it checks username & password, if username & password combo is successfull,
then it checkes for client IP for that user.
Now John logs in, system checks if this login reuqest is made from IP (10.10.0.5). If it's true, then John can log in, do his Check-in,
if he tries to login from some other computer he is logged out back to login screen, nothing is entered in database. He is cleanly out.
Now this is one concept. Since we have limitations in implementing system. Well if you can think something else please Post. This can lead to some real interesting ideas.
another solution.......
Posted: Sat Dec 13, 2003 12:46 pm
by crazytopu
thank you again..lets see how much i will be able to implement.
someone replied to my post in another forum: igoy, do you think the following could be a good solution? which part of india are you from?
Here's a non-technical solution. A buddy of mine just hooked up a webcam on top of the monitor with a sign under it asking the employees to make sure they look directly into the camera when signing in. You can get motion detecting web-cams fairly cheaply which would take a picture every time someone approached the monitor but he doesn't even do that, he feels that just the presence of the camera deters them from cheating. Not a fail-safe system, but a pretty good phsychological deterrent to cheating. You could always look at ways to have the photos added to their timesheet database as well. Just a suggestion.
Posted: Sat Dec 13, 2003 1:31 pm
by jason
Another problem with the IP address scheme is that all it takes is for me to go over to someone else's computer, and type in their username/password from there.
The camera with the motion sensor is a good solution. Though, it would be nice to see if their was some way to rig it up so that when someone logs in, the camera will take a picture.
It also depends on if everyone is using a computer, and what they are using the computer for. At another place I used to work, they used internally developed web based applications. They would log in, and use the web application. This means even if you logged into the computer for someone else, it meant you couldn't be logged in on your account, therefore, you were going to be late.
Simply put: username/password combinations are NOT ways to validate a person, and it never will be. Basically, you need an out of band authentication method. The camera idea is good, though, if the employees find out that it doesn't work as well as it should, they will get around it.
Surprise inspections, and simply physically looking at who is there and who isn't and checking with the login records is also a good way to do things.
Other methods include using email. For example, if you have the person login on the main computer, and the system sends that user an email. The user then logs onto their normal computer (using normal methods). They then get the email, and in that email, it has the person click on a link. This links takes them to a server page that verifies that they are now at their computer.
Obviously, a time limit of something like 15 minutes it placed (giving people time to settle in) on the link. While someone would be likely to give another employee the login/password to the front computer, letting another employee have access to email is another thing.
Posted: Sun Dec 14, 2003 5:31 am
by igoy
Don't want to repeat what everyone said, so it's like this.
what Jason said is apt, Camera idea is good. psychological effect also can do lot good. No matter how much rules and security you put, it's neccesary to make people understand and convince to follow them, not to break them.
camera, surprise visits and some technical brilliance will make this system work, I guess.
Good Luck.
more solutions
Posted: Sun Dec 14, 2003 9:20 am
by crazytopu
here are more comments on this topic:
Why not use this system with a member of management also nearby? You get the benefits of electronic record keeping (basically an electronic time clock). I don't understand why having the computer there in anyway infers that a member of management should not be included. You can't automate trust.
Wired's solution (camera ) is an excellent alternative.
But still, your proposed system is fine. The benefits of electronic recordkeeping are clear. Just leave the member of management in the system. Then you will improve the system without any sacrifices.
There are Biometric devices that can identify people by finger print that are not very expensive (far less expensive than your time setting something up).
Posted: Mon Dec 15, 2003 2:29 pm
by m3mn0n
Your problem sounds very similar to the one I faced when I was promoted to management at a local fast food resturant a few years back.
People use to sign in for their friends even thought they didn't work a single shift that day. Also if someone was working 9-5 and another 9-3, the 9-5 guy would punch out his friend at 5.
The combat this form of cheating we simply checked the punch card times on the computer againts the schedule at the end of the day, or week depending on how busy the night was.
Althought, that camera idea is very good because it would defeat the need for management time dedicated to anti-cheating. Althought I'm wondering if anyone has even ever created such an application that interacted with PHP.