How to restrict access to web application to one m

2019-04-12 06:56发布

I need to make sure that every users accessing my web application can do that from one machine only, so 100 users would mean 100 machines. What would be the best solution? Is detecting and storing IP during first login good idea? I think IP might change even during lifetime of the session is that right? I was also thinking of storing cookie when user first logs in. Then assigning these cookie to the user, same as I do with password and username already, and every time when accessing application checking for presence of that cookie.

Please let me know what in your opinion would be the best solution. My backend is php/mysql if that matters.

EDIT: I need to clarify... This is in addition to normal session management. I need to restrict users to be able to login to web application from one specific machine only. So if user originally logged in from his computer at work and I stored its ip/cookie/etc., then client logs out (or even not), goes home and tries to login won't be able to do that. I agree its horrible idea but client insists :)

6条回答
祖国的老花朵
2楼-- · 2019-04-12 07:23

IP address might change in the case of mobile clients, or clients that switch between wired and wireless networks. Your best bet would probably be to provide a randomly-generated UID to each client when it first connects (if it doesn't already have the cookie). Then you can check that the same username isn't connecting using two different UIDs.

The trick is that you need to make sure to time this UID out, so that if the user goes to another computer they aren't locked out. Perhaps one change to the UID is okay, but they can't go back to a UID that's already been used?

查看更多
Ridiculous、
3楼-- · 2019-04-12 07:33

Don't do that. Many people will access your website from multiple computers, and they will complain if you block them.

查看更多
Emotional °昔
4楼-- · 2019-04-12 07:34

Unfortunately, an IP is not machine-specific for multiple reasons:

  1. The IP address could change during the session, with no notice (the user might not even be aware of it)
  2. Most users have dynamic IP, so it most definitely will change at some point
  3. For machines such as a laptop, tablet or cell phone, the IP address is based on the current service provider
  4. All users behind a proxy would appear to you as a single IP, so you still wouldn't be able to detect if they moved from one machine to another

Instead, generate some kind of unique key for the session and track it in combination with the user name. Prevent them from logging in if the same user name is already in another active session. (You'll also want some way to automatically flush these, just in case you lose the session-end event.)

查看更多
SAY GOODBYE
5楼-- · 2019-04-12 07:34

The best solution is already built into the web server depending on which one you are using. That's what the Sessions are for. In ASP.NET/IIS, usually there is a 20minutes per session timeout.

So if a user uses another computer to access your webapplication, then the session timeout will release connection from the machine that is idle.

UPDATE

You might want to consider restricting user by the MAC Address of their machines which are unique.

查看更多
The star\"
6楼-- · 2019-04-12 07:42

You can limit to a single useragent by issuing the client with a client side SSL certificate created with the keygen element, this gets the browser to generate a key pair, keeping the private key in the user agent, then you receive an SPKAC, which you can use to openssl create a certificate, which you then send back to the user agent, it installs it and it can be used to identify the user in that specific browser only via HTTP+TLS from then on.

Anything else, simply won't work 100% - although you can hack ways that appear to work (until something goes wrong and it doesn't work) :)

查看更多
戒情不戒烟
7楼-- · 2019-04-12 07:42

If it is a very internal application that will be used only inside a company, it might be possible to define an IP range because smaller companies which do not operate worldwide will probably have a certain amount of IPs from their internet access provider.

You could also think about using some info from $_SERVER to restrict users to a combnation of a single web browser (HTTP_USER_AGENT) and a single port (REMOTE_PORT) - as an additional way to differentiate machines.

But all these solutions are bad or worse, it's technically probably not possible to solve this problem (unless you will have guarantees from your client that all machines will keep a static IP in which case it is a trivial if else problem).

查看更多
登录 后发表回答