简体繁体 English

如何防止用户将未经授权的设备连接到我的Web应用程序？

[英]How to prevent user to connect from un-authorized device to my web app?

原文 2013-04-30 03:09:01 6 2 javascript/ asp.net/ html/ vb.net

Hi I need to implement something to prevent users connect to a webapp, from another computer or mobile that it's not authorized, for example if the user enters the user and password correctly and the computer or mobile its authorized by the company grants permission to access, but if the user is on another computer or mobile device this must to reject the login to the webapp. 嗨，我需要采取一些措施来防止用户从未经授权的另一台计算机或移动设备连接到Web应用程序，例如，如果用户正确输入了用户名和密码，并且公司授权的计算机或移动设备授予了访问权限，但是如果用户在另一台计算机或移动设备上，则必须拒绝登录Web应用程序。

Also the user can be connected to internet on any place and use this webapp, but only if is using the authorized devices to do it. 用户也可以在任何地方连接到Internet并使用此Web应用程序，但前提是使用授权设备进行操作。

I thought on use the mac address to accomplish this, but I don't know if this is the correct approach. 我曾考虑过使用mac地址来完成此操作，但我不知道这是否是正确的方法。

So anyone have any suggestions? 所以有人有什么建议吗？

Edit: This webapp is a in house app, with access to sells and inventory, of the company so the only the devices that are provided by the company can access to the webapp. 编辑：此Web应用程序是公司内部的应用程序，可以访问公司的销售和库存，因此公司提供的唯一设备可以访问Web应用程序。

2 个解决方案

The MAC address is a poor choice since it is fairly trivial to forge it (aside from the difficulties in obtaining it via javascript). MAC地址是一个糟糕的选择，因为伪造它非常简单（除了很难通过javascript获取它）。 You're going to have that problem with almost any scheme since you are relying on user-controlled content to tell you that the device is authorized. 由于您依赖用户控制的内容来告诉您该设备已获得授权，因此几乎所有方案都将遇到该问题。 Cookies, even "random" ones, have the same forgery problem. Cookies，甚至是“随机”饼干，也存在相同的伪造问题。

How are devices authorized? 设备如何获得授权？ How secure does it need to be? 它需要多安全？ Why must access be limited to only authorized devices? 为什么必须将访问限制为仅授权设备？

I see 2 possibilities here: 我在这里看到2种可能性：

This requirement is a misguided attempt to exert control over the end-user of the application and there are no real security issues, beyond those already being addressed via the traditional authentication methods (ie login/password). 此要求是对应用程序的最终用户施加控制的错误尝试，除了已经通过传统的身份验证方法（即登录名/密码）解决的安全问题以外，没有真正的安全问题。
There is a legitimate need to validate that the device being used by the user meets some level of security (eg virus protection, located in a physically secure location, etc.). 合法需要确认用户使用的设备符合某种级别的安全性（例如，病毒防护，位于物理安全位置等）。 In that case, I am not qualified to build such a solution (and certainly not in a StackOverflow answer), and, judging from your question, neither are you. 在那种情况下，我没有资格构建这样的解决方案（当然也不在StackOverflow答案中），并且从您的问题来看，您也不是。 Even if you come up with a solution you are convinced is secure, I can guarantee it isn't. 即使您提出了一个确信是安全的解决方案，我也可以保证它不是安全的。

A truly secure implementation would probably make use of public key encryption and some sort of signature from the authorized device. 真正安全的实现可能会利用公钥加密和来自授权设备的某种签名。 Even that signature could be forged, especially for a browser-based solution, which is why so many companies are interested in the trusted platform module . 甚至可以伪造该签名，尤其是对于基于浏览器的解决方案而言，这就是为什么如此多的公司对受信任的平台模块感兴趣的原因。

You cannot get the mac address of a device directly without access to java plugins, native programming, active x, etc. 如果无法访问Java插件，本机编程，活动X等，则无法直接获取设备的MAC地址。

The usual way to do something like this (read Facebook detecting when you have not logged in from a location before) os to set a cookie on the devices that are authorized. 这样做的通常方法（阅读Facebook会检测到您之前未从某个位置登录过），以便在经过授权的设备上设置Cookie。 Store a list of these cookies on the server and check to make sure you are getting the right cookie when the user attempts to use the device. 将这些cookie的列表存储在服务器上，并检查以确保在用户尝试使用设备时获得正确的cookie。 The cookie should be random with little chance of collision. Cookie应该是随机的，发生碰撞的可能性很小。 You might even get fancy and update the cookie each time the user logs on with a new value. 您甚至可能会幻想每次用户使用新值登录时更新cookie。 Basically, what you are looking for is exactly the same as the "Remember Me" login systems. 基本上，您要查找的内容与“记住我”登录系统完全相同。