In need of advice about restricting access to university website

Davidc316

Hi ho,

A person from my old uni has asked me to lend a hand with their website. Basically they want a few bells and whistles and a bit of design work... bla bla bla.

Anyway, there's one aspect of the project that I'm a bit unsure of and I was wondering if any of you folk could point me in the right direction....

The university has around 1,300 internet connected computers on campus (mostly located in the library and scattred around various departments). They are wanting to have their site built so that people accessing from a computer located at the Uni (say, the library) can view webpages with slightly sensitive info about coursework, current staff/students and so on. Conversely, they want people visiting the site from outside the Uni to be restricted to viewing a watered-down version of the site.

So, my problem is how to achieve this using PHP.

I am fully aware of the "normal" authentication techniques (usernames, passwords, and so on), but the access restrictions for this particular website would ideally happen automatically without a need for typing in passwords or usernames.

I am also aware of the techniques that can be used in PHP to restrict access based on IP address. But, sadly, this technique does not appear to be 100% safe and, perhaps even more seriously, the idea of checking 1,300 seperate IP address upon every single page visit is a complete non starter- it would take a lifetime to program and would make the website work at snail's pace.

Does anyone know of any PHP techniques that can control website access for an entire network of computers?

Thanks!

dalecosp

Hmm, sounds a bit tricky. My first question to them is "so you want the GP (general public) to view the same pages, only with the sensitive stuff left out, or do you want some pages restricted to only on campus viewing?" I have a feeling from your post that it's the latter, but I'm not exactly sure....

But you say, "it's gonna be tough?" What's so tough about 1300 computers being checked? One computer can scan 1300 IP's in a matter of milliseconds, can't it?

Are they all publicly routable addresses? It kinda sounds that way "1300 internet connected computers" doesn't exactly tell me. Even if they are, the University's IP allotment should be fairly contiguous. Or, are they private class C's that are attached via routers? Or .... whatever. First find out about the network's topography, and then you can make what might be a better decision.

Say they had 10 class C's in the 192.168 private namespace. Parse $REMOTE_ADDR and use strlen() or somesuch to grab the first three quads ... if it's not 192.168.0.xxx, 192.168.1.xxx, .........192.168.10.xxx, it's alien.

Or, what if the addys' are all routable? Likely that they have nothing more than a B class, so anything that's not from XXX.YYY.(nnn.nnn) is not wanted, right?

What if the buildings each have a publicly routable gateway --- the rest of the boxen are hiding behind NAT. Well, then you just check a list of one IP for each building. Surely there's not thirteen hundred of them.

Hmm, maybe establish a session variable based on the remote IP and don't bother checking for every page as long as you check for the session var?

And, perhaps there are other strategies. Name based virthosting on a firewalled interface, for example.

You can do it!! 🙂

Davidc316

Thanks!

I feel totally motivated now! 😃

What a great start to 2004.

Happy New Year!!!!