Posted by Richard Levasseur on 08/07/06 15:06

walterbyrd wrote:
> Benjamin Esham wrote:
> > walterbyrd wrote:
> >
> > > I am working on a timecard app. When somebody logs in, it stamps his/her
> > > time.
> > >
> > > Problem is, I have to make sure that somebody is not logging in from a
> > > remote site. I want all the logins from one particular, on site, system.
> > >
> > > The app is part of another system, which is ran online. It's not a local
> > > intranet, or anything.
> > >
> > > I am wondering if there is something unique I can create on the on-site
> > > system, which can be checked form the remote system, to insure the
> > > employee logs into *that* system.
> >
> > http://us3.php.net/reserved.variables
> >
> > Take a look at REMOTE_ADDR and REMOTE_HOST.
> >
>
> I don't think that would be helpful for me. I need the server to verify
> a particular client. That client is behind a NAT, and the client
> address is set by DHCP, also the client IP address is very generic,
> i.e. 192.168.1.x.
>
> I need the server to check the client for something unique. Maybe a
> machine address, or a special hidden file.
>
> I am sure this can be done. Although maybe not from PHP. There are
> companies that have web-time-cards. I think the commercial
> web-time-card apps, may be initiated from a app on the client side. The
> desktop app then connects to the server.

If the client is behind NAT, then there is no way from your end to
verify, for certain, what machine it is. The best you can do is put
something on the clients end that they must submit that verifies who
they are.

The best way I can think of this would be to use a secondary program
that generates a certificate that is based on the machine they are
using, and that certificate is then submitted to your application for
verifications.

It has to be generated each time so that it has a new time stamp to
prevent coping of the file. The downside is the user has to do this
each time (though, you may be able to use flash or a java applet to
generate it, depending on how much system information is available to
these apps through the webbrowser).

An easier method would be to give the client a certificate and they
resubmit it each time they do the timecard.

On the server side, only issue 1 certificate. If the client requests a
second certificate, then it requires an administrator to do it. This
prevents them from logging into other computeres and simply
redownloading the cert.

Use flash/java (we'll call it The App) to download a certificate from
the server and save it somewhere they can't find it. When they login
they'll have to use The App so that The App can upload the file and the
server can verify the identity.

Don't use an HTML form to upload the file. Then they know where the
cert is and can easily copy and paste it between computers.

The other option is you go to every machine and generate a certificate
for it and upload it to the server.

There's no foolproof way of identifying a computer, especially if it's
behind a NAT. You can use a big combination of cookies, sessions, user
logins, secret passwords, IP addresses, host names, etc, etc, but
they're all easily spoofed and subject to change. If you really,
really, need to identify the computer, you'll have to make something
clientside so you have access to the data on the machine to generate a
unique ID

[Back to original message]