Hi I need to implement something to prevent users connect to a webapp, from another computer or mobile that it's not authorized, for example if the user enters the user and password correctly and the computer or mobile its authorized by the company grants permission to access, but if the user is on another computer or mobile device this must to reject the login to the webapp.
Also the user can be connected to internet on any place and use this webapp, but only if is using the authorized devices to do it.
I thought on use the mac address to accomplish this, but I don't know if this is the correct approach.
So anyone have any suggestions?
Edit: This webapp is a in house app, with access to sells and inventory, of the company so the only the devices that are provided by the company can access to the webapp.
The MAC address is a poor choice since it is fairly trivial to forge it (aside from the difficulties in obtaining it via javascript). You're going to have that problem with almost any scheme since you are relying on user-controlled content to tell you that the device is authorized. Cookies, even "random" ones, have the same forgery problem.
How are devices authorized? How secure does it need to be? Why must access be limited to only authorized devices?
I see 2 possibilities here:
A truly secure implementation would probably make use of public key encryption and some sort of signature from the authorized device. Even that signature could be forged, especially for a browser-based solution, which is why so many companies are interested in the trusted platform module .
You cannot get the mac address of a device directly without access to java plugins, native programming, active x, etc.
The usual way to do something like this (read Facebook detecting when you have not logged in from a location before) os to set a cookie on the devices that are authorized. Store a list of these cookies on the server and check to make sure you are getting the right cookie when the user attempts to use the device. The cookie should be random with little chance of collision. You might even get fancy and update the cookie each time the user logs on with a new value. Basically, what you are looking for is exactly the same as the "Remember Me" login systems.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.