How to prevent user to connect from un-authorized device to my web app?
Question
Hi I need to implement something to prevent users connect to a webapp, from another computer or mobile that it's not authorized, for example if the user enters the user and password correctly and the computer or mobile its authorized by the company grants permission to access, but if the user is on another computer or mobile device this must to reject the login to the webapp.
Also the user can be connected to internet on any place and use this webapp, but only if is using the authorized devices to do it.
I thought on use the mac address to accomplish this, but I don't know if this is the correct approach.
So anyone have any suggestions?
Edit: This webapp is a in house app, with access to sells and inventory, of the company so the only the devices that are provided by the company can access to the webapp.
2 answers
solution1
1 ACCPTED 2013-04-30 18:04:26
The MAC address is a poor choice since it is fairly trivial to forge it (aside from the difficulties in obtaining it via javascript). You're going to have that problem with almost any scheme since you are relying on user-controlled content to tell you that the device is authorized. Cookies, even "random" ones, have the same forgery problem.
How are devices authorized? How secure does it need to be? Why must access be limited to only authorized devices?
I see 2 possibilities here:
- This requirement is a misguided attempt to exert control over the end-user of the application and there are no real security issues, beyond those already being addressed via the traditional authentication methods (ie login/password).
- There is a legitimate need to validate that the device being used by the user meets some level of security (eg virus protection, located in a physically secure location, etc.). In that case, I am not qualified to build such a solution (and certainly not in a StackOverflow answer), and, judging from your question, neither are you. Even if you come up with a solution you are convinced is secure, I can guarantee it isn't.
A truly secure implementation would probably make use of public key encryption and some sort of signature from the authorized device. Even that signature could be forged, especially for a browser-based solution, which is why so many companies are interested in the trusted platform module .
solution2
0 2013-04-30 17:27:48
You cannot get the mac address of a device directly without access to java plugins, native programming, active x, etc.
The usual way to do something like this (read Facebook detecting when you have not logged in from a location before) os to set a cookie on the devices that are authorized. Store a list of these cookies on the server and check to make sure you are getting the right cookie when the user attempts to use the device. The cookie should be random with little chance of collision. You might even get fancy and update the cookie each time the user logs on with a new value. Basically, what you are looking for is exactly the same as the "Remember Me" login systems.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.