Restrict access PC wise ...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ab4net
Forum Newbie
Posts: 5
Joined: Thu Nov 30, 2006 4:11 pm

Restrict access PC wise ...

Post by ab4net »

hi all,
am developing a program for exchange company, there request is to make the website (program directory) accesseble only from certain pc's
so the employee cant log from home, and make un-wanted transfers ...etc
i dont know how to do it, but i know it is possible, because western union doing the same !! and they can restrict to telephone number (there program 100% an online page) i checked it ...
the idea here, (dont know if works) to give them a CD, with an EXE file, when they run the small application it creates a directory as example c:/tnt/locker/auth/system.txt, and to make my page reads the file, if it is not available it then dosent allow the access !!
is that possible or is there any ideas ??
thanks to all in advance ...
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Simple. Set Apache to deny all requests that are outside the intranet.
ab4net
Forum Newbie
Posts: 5
Joined: Thu Nov 30, 2006 4:11 pm

Post by ab4net »

thanks,
cant do so, because it is shared hosting.
any other ideas ???
User avatar
theFool
Forum Newbie
Posts: 17
Joined: Thu Oct 26, 2006 2:00 am
Location: Berlin, DE

Post by theFool »

I guess it is really hard, probably impossible, to establish a fail-safe authentification if you're not allowed to edit the htaccess files of the webserver.

If your company has a fixed IP for their internet connection, you could try to read the IP address, with $_SERVER[''REMOTE_ADDR''] but an attacker might fake this.

Looks like your company should think about at least a managed server with full administration webserver.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

theFool wrote:...read the IP address, with $_SERVER[''REMOTE_ADDR''] but an attacker might fake this.
How?
sike
Forum Commoner
Posts: 84
Joined: Wed Aug 02, 2006 8:33 am

Post by sike »

ab4net
Forum Newbie
Posts: 5
Joined: Thu Nov 30, 2006 4:11 pm

Post by ab4net »

is there a way to make the page (php) which is online to make it able to read a TXT file at the computer ?
even if a message should be appeared to the user, is there any way to do so?
User avatar
theFool
Forum Newbie
Posts: 17
Joined: Thu Oct 26, 2006 2:00 am
Location: Berlin, DE

Post by theFool »

Mordred wrote:
theFool wrote:...read the IP address, with $_SERVER[''REMOTE_ADDR''] but an attacker might fake this.
How?
Dunno, I am not a hacker ^^.
IP spoofing would be possible then, but I cannot say how difficult it is to do so.
I haven't used Remote_addr before but maybe you can supress, fake it like HTTP_Referer but as I think about it now, I'll rather doubt it. :lol:
ab4net
Forum Newbie
Posts: 5
Joined: Thu Nov 30, 2006 4:11 pm

Post by ab4net »

i think i have to do it with active x controls ...
but is it possible is the server apache and dosent support microsoft,
and is there any one can advice an idea ..? in this field ...
active x

regards,
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

Can't use .htaccess Deny/Allow?
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

if someone can spoof an ip, it's not going to matter whether you deny / allow by ip via apache or php. a denied ip is a denied ip.

I'd try to go the .htaccess route if you can and if that wont' work, then write some code into your php to check against the ip address of the visitor.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

ab4net wrote:thanks,
cant do so, because it is shared hosting.
any other ideas ???
Why would you host an intranet site on the worldwide web in the first place???

Overhere our identity cards are smartcards.. And authentication is performed with a public/private key on the card...
ab4net
Forum Newbie
Posts: 5
Joined: Thu Nov 30, 2006 4:11 pm

Post by ab4net »

seems great idea,
can you please tell me more about it,
i need to know the following pelase if you can,
if i build online server, IIS
and enabled the php and mysql on it,
how to use the smatcard, and how to set it and ... etc ...
can you guide me or send me to a good DETAILED step by step tutorial :(
i think i can convence them to have there own host
thanks in advance ...
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Post Reply