Authentication/Authorization
Author
I have a problem at hand and I can't find a way to solve it efficently.
So the problem is - I would like to set up a small web page, with a secure area. But leave the permission to this area to some individuals with a password and some machines via something else. The problem is that I can't uniquely identify machines via IP, as they might have dynamical IP's or they are behind a NAT and I can't let all of sub-NAT machines access the resource.
The one of the ideas is to use certificate, but that seems to be expensive, cumbersome way to me...
Does anyone have a better sugestion?
one way that i can see this done:
Per user, send them a cookie with a unique number. (session cookie, expiring in a few minutes).
You then record their number and their ip address + user agent in a file.
You can then check if they have a cookie before sending them the secured page (using php).
If they have a cookie, but either the ip or user agent changed, then ask them to relog on (and remove the entry in the file/db).
If they don't have a cookie, then redirect them to the logon page.
You record the last time seen on the db as a timestamp, and then once every N seconds you can remove records that haven't been used for awhile (10 minutes, an hour, etc).
(you would use ssl for the entire connection, to ensure that nobody can copy the cookies.)
Pretty much, dynamic ip's don't change instaniously, they change once every few days, if that (or when i restart the router).
Also, for people using a nat, the other people wouldn't have the cookie, which then lets you differentiate. Since your using ssl, it then means that nobody can snoop the cookie in mid session. It still doesn't stop a compremised client, but meh. Theres not much else you can do. (and its pretty simple to implement)
Per user, send them a cookie with a unique number. (session cookie, expiring in a few minutes).
You then record their number and their ip address + user agent in a file.
You can then check if they have a cookie before sending them the secured page (using php).
If they have a cookie, but either the ip or user agent changed, then ask them to relog on (and remove the entry in the file/db).
If they don't have a cookie, then redirect them to the logon page.
You record the last time seen on the db as a timestamp, and then once every N seconds you can remove records that haven't been used for awhile (10 minutes, an hour, etc).
(you would use ssl for the entire connection, to ensure that nobody can copy the cookies.)
Pretty much, dynamic ip's don't change instaniously, they change once every few days, if that (or when i restart the router).
Also, for people using a nat, the other people wouldn't have the cookie, which then lets you differentiate. Since your using ssl, it then means that nobody can snoop the cookie in mid session. It still doesn't stop a compremised client, but meh. Theres not much else you can do. (and its pretty simple to implement)
Author
Well, that's a good idea, but I can't think of a way to restrict say Bob's PC to access the secured area.
If there is just one darn machine behind that NAT I can't let in, it seems that there is no solution to keep it out without installing some hidden from user certificate by administrator... And even then, someone savy enough can just copy it to floppy and use to get rest of the behind-NAT PCs to work just fine...
If there is just one darn machine behind that NAT I can't let in, it seems that there is no solution to keep it out without installing some hidden from user certificate by administrator... And even then, someone savy enough can just copy it to floppy and use to get rest of the behind-NAT PCs to work just fine...
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
