• Advertisement
Sign in to follow this  

Authentication/Authorization

This topic is 4150 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I have a problem at hand and I can't find a way to solve it efficently. So the problem is - I would like to set up a small web page, with a secure area. But leave the permission to this area to some individuals with a password and some machines via something else. The problem is that I can't uniquely identify machines via IP, as they might have dynamical IP's or they are behind a NAT and I can't let all of sub-NAT machines access the resource. The one of the ideas is to use certificate, but that seems to be expensive, cumbersome way to me... Does anyone have a better sugestion?

Share this post


Link to post
Share on other sites
Advertisement
one way that i can see this done:

Per user, send them a cookie with a unique number. (session cookie, expiring in a few minutes).

You then record their number and their ip address + user agent in a file.

You can then check if they have a cookie before sending them the secured page (using php).

If they have a cookie, but either the ip or user agent changed, then ask them to relog on (and remove the entry in the file/db).

If they don't have a cookie, then redirect them to the logon page.

You record the last time seen on the db as a timestamp, and then once every N seconds you can remove records that haven't been used for awhile (10 minutes, an hour, etc).

(you would use ssl for the entire connection, to ensure that nobody can copy the cookies.)

Pretty much, dynamic ip's don't change instaniously, they change once every few days, if that (or when i restart the router).

Also, for people using a nat, the other people wouldn't have the cookie, which then lets you differentiate. Since your using ssl, it then means that nobody can snoop the cookie in mid session. It still doesn't stop a compremised client, but meh. Theres not much else you can do. (and its pretty simple to implement)

Share this post


Link to post
Share on other sites
Well, that's a good idea, but I can't think of a way to restrict say Bob's PC to access the secured area.

If there is just one darn machine behind that NAT I can't let in, it seems that there is no solution to keep it out without installing some hidden from user certificate by administrator... And even then, someone savy enough can just copy it to floppy and use to get rest of the behind-NAT PCs to work just fine...

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement