Application Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
koolsamule
Forum Contributor
Posts: 130
Joined: Fri Sep 25, 2009 10:03 am

Application Security

Post by koolsamule »

Hi Chaps,

I have a PHP Application, hosted on IIS 7 Server.

The Application needs to be secure for a customer (based in Germany).

The problem I face is that the only security I have used is cookies.
The customer, however does not want to use cookies, due to the difficulty of managing these cookies at their end.

Their solution would be to use some sort of IP Address based security, where only access from certain IP Addresses would be permitted.

The problem I see with this is that the customer has numerous different 'sites' across Germany, which would have their own servers and therefore different IP Addresses and in some cases, no server at all.

So my questions are:

1. Is IP Address security a viable option?
2. Would the customer's request be a valid concern?
3. What would be the best practice of implementing the request?

Many thanks
User avatar
Zyxist
Forum Contributor
Posts: 104
Joined: Sun Jan 14, 2007 10:44 am
Location: Cracow, Poland

Re: Application Security

Post by Zyxist »

Using IP addresses for authentication is reliable only in cases, when the users have a constant, well-known address that does not change and we are perfectly sure that nobody else can connect from it other than our customer. So, for example: your customer has five divisions in Germany located in different cities. If each of these divisions has its own, unique, public and unchangeable IP address or addresses, then yes - you can limit the access to the website even at the webserver level. However, if one of the divisions does not have its own public IP or the customer employees must be able to connect to the application from mobile locations, it won't work.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Application Security

Post by Apollo »

koolsamule wrote:2. Would the customer's request be a valid concern?
Exactly what is their problem with "managing cookies at their end"?

Any decent browser comes with default cookie support, there's nothing to manage for them. They login once, you store checksum in cookie, done.

(checksum being sha512(Password+Salt+TheirIp) or something)
koolsamule
Forum Contributor
Posts: 130
Joined: Fri Sep 25, 2009 10:03 am

Re: Application Security

Post by koolsamule »

Thanks Zyxist for your reply, most helpful. I will check with their IT Department and see how I get on.

Apollo: some of their divisions, might delete cookies on closing their browser, or each time they login to their PC, and they don't want to login each time, IP Address check would be preferable.

Many thanks!
Post Reply