Restrected Login !!

ab4net

Hi all, wish you all fine 🙂
am wondering if some one can help in this ...
a client of mine, want to have a website, his employee have to log into the webiste and then start using there control panel ...
so far no problem for me, but he wanted those employee, as example employee AAA can only log in from his device which is PC1 and he cant log into the website from any other place ...
basicaly he dont want to allow them to use the website control panel out of office !! so i suggested that we create an EXE small program, this program when it runs, it creates some code to specific location let us say:
c:\windows\myfolder\secure\login\key.xxx
so when he log into the website, the webiste checks this file if available and open it to see also if it contains the proper username !! AAA or not !!!
this is did not try, iw anted to share the idea with you all friends 🙂
and see if you can help me in better solution ...

thanks alot in advance ...

thorpe

if you wanted to do anything like that you would need to use activeX, php cant read files on client machines (except cookies). maybe you would be best to try and restrict access to only a certain ip?

ab4net

no it dosent work for IP's because the IP's all is dynamic not static ...
so sure PHP cant make it !!!
can you direct me how to make it using the ActiveX !!???
or no IDEA ...? and what is ActiveX 🙁
regards,

justsomeone

interesting problem.

Are the IP's in the office allocated by a server on the office network running DHCP? Or are they allocated by an ISP? Do all internet requests from the office go through a proxy server? If so, they will all appear to come from the same IP address to a server "outside" on the net, and you can easily check for that.

If you try to use a file on the PC (cookie or just a text file), all someone has to do is copy that file to another PC. It's not very secure.

ab4net

ya sure, but till he find out this GAP in the security, it takes time 🙂 so in that mean time i can find a solution ...
by the way i decided to try it tonight, i'll place a file and let the script read it !!!
i dont know i feel it should work, or i have to create a session with long life time, hey advices appreciated 🙁
i dont know, how is the DONGLE thing works, cant we make a dongle for website !!?!?!!!?
it should be right ?!

justsomeone

A PHP script running on a server cannot read a file on a client PC, unless that client PC is already sharing the file over some network which the server has access to. The very same applies to a dongle or any other client side solution.

Active X is a Microsoft technology which allows some clientside scripting, but I don't know much more about it.

Can you answer my questions about the IP setup?

🙂

ab4net

all the IP's are distibuted by DHCP server, and the main gatewar to internet has a dynamic IP from the ISP, it changes so frenquently !!!

rgermain

Not sure if this idea is of much help, but you could also do on a time basis. Most companies are only open between certain hours. Make a script on the server that checks the time of day and make sure it is business hours in order for them to login, I guess it wouldn't stop them if they were home sick, but it would curve some of the problem.

Also,
Maybe tell them they will need to be setup up on some sort of Intranet that isn't accessable to the outside world. That would cure pretty much all of it.

justsomeone

ab4net wrote:
all the IP's are distibuted by DHCP server, and the main gatewar to internet has a dynamic IP from the ISP, it changes so frenquently !!!

Hmmm... you should make this your boss' problem. Tell him to get a static IP for his gateway 🙂

One option would be to have a password protected page on your site which only you know the details to. Have that page set a permanent cookie. Then make your login script check for that cookie. If the cookie doesn't exist, don't log them in.

Then you go around all of the "approved" PC's, access your password-protected page and this will set your cookie.

As I said, the cookie could just be copied from one PC to another, but I think you said you were prepared to accept this risk.

ab4net

the problem is he is a client not boss 🙂
and he dont want to buy static IP, it cost here about 1000$ monthly to get a static IP, because you have to upgrade your connection to be so expensive in regards to have static IP 🙁
any way, i'll do my best to have some thing else ...
i think ActiveX will do it, but i dont know where to start from in activeX !!
can any one advice .. ?

one of my friends, told me that i have to make EXE, that has a login form, and no login form on the website, so no one can log into there (the restrected area), unless he have installed the EXE program and uses its login form, and the form should be connected to the website to create a session ...
i dont know whats your oppenion guys ??

(dont forget to advice about activeX also)

justsomeone

OK, so a static IP is not an option 🙂

Active X is, but I'm afraid I know nothing about it.

Writing an exe is as well, but you would have to design it carefully. The exe will still have to send details to a form on your website, so once anyone discovers what details are being sent to the website, they can just send those details without usin the exe.

Cookies, as I have described, might be an option.

Another option would be to configure your browser in a special way. One example would be (if your browser is Firefox) to go into Tolls->Options-General->Languages and add an unusual combination of languages eg Welsh and Xhosa to the bottom of the list. Do this on each of your "approved" PC's. This shouldn't affect browing of normal sites, but your site could scroll through the requested languages and only allow people in if they have these lanuages set. Your script can see which languages the user has requested in the variable $_SERVER["HTTP_ACCEPT_LANGUAGE"] where they are stored as a semi-colon separated list.

ab4net

i think ill go to the EXE solution, and i found a nice way to make the variables sent by the EXE dynamic not static, as example, the EXE program connects to a database online and get a strings from it, which is as example KEY1, KEY2 (encrypted in some way) and then send those KEYS to the online FORM, i have then just to update the KEYs Strings weekly or some thing like that ...
this is an idea also 🙂 ...
more question, what you suggest to build the EXE by, VB or C# or other ?! am okay in those 2 ... but i think i need refreshment 🙁
hey, thanks alot, tell me your opinion !!