2

I am working on a web app that will be used by restaurants to let the cashier access data about clients, reservations and so on.

One of my test clients, though, said he would like to allow cashiers access the web app only when they are at the restaurant computer. In other words, he doesn't want his employees to be able to log into the web app and access client info from their homes or from some other location/computer.

My first thought was to check the IP address of the client on the web app, and only allow certain IPs (i.e. the IPs of the restaurant connection) to access it.

The problem is that the Internet connection on most restaurants use DHCP, so their IP keeps changing. I could check only the first 2 bytes of the IP (e.g., 106.280), but this wouldn't be 100% secure, and on some ISPs even the second byte will change from time to time.

Any other ideas on how I can solve this problem?

Thanks in advance.

Daniel Scocco
  • 7,036
  • 13
  • 51
  • 78
  • You sure most restaurants use dynamic IP addresses? I find that hard to believe but then again don't know too much about the industry. Cookies is always a method but obviously those can be removed by somebody within the primary location. – JM4 Mar 11 '13 at 19:58
  • @JM4, I am located in Brazil, and most restaurants here simply get the cheapest ADSL connection they can get, and that usually uses DHCP. – Daniel Scocco Mar 11 '13 at 20:00
  • @JM4, cookies might work indeed. I'll give it some thought, thanks. – Daniel Scocco Mar 11 '13 at 20:01
  • 1
    possible duplicate of [is it possible to limit access to website to specific computer?](http://stackoverflow.com/questions/5589638/is-it-possible-to-limit-access-to-website-to-specific-computer) – Eugene Mayevski 'Callback Mar 11 '13 at 20:13
  • haha @EugeneMayevski'EldoSCorp - I was going to say - I am pretty sure I've either seen or possibly asked this question before. – JM4 Mar 11 '13 at 20:21
  • Aalso read this answer to same question: http://stackoverflow.com/questions/3189239/how-to-restrict-access-to-web-application-to-one-machine-only#3189301 – MortezaE Mar 07 '14 at 21:50

2 Answers2

8

The best way to do this would be to use client side certificate authentication.

http://www.impetus.us/~rjmooney/projects/misc/clientcertauth.html

Eric
  • 2,056
  • 13
  • 11
  • 1
    This is a good solution, though the users _could_ export the certificates and install them on their own machines. Your average cashier isn't going to know how to do this though. – AndrewR Mar 11 '13 at 20:02
  • Few things. 1) is that the cashier already has access so why would they need to install the cert on their own machine? 2) I'm assuming that the cashier wouldn't have access to the machine in any sort of administrative way that would allow them to export it 3) You could also add an additional layer of security in the application such as the dynamic addresses so that they need the certificate and an IP. – Eric Mar 11 '13 at 20:08
  • @AndrewR You can put certificates as non-exportable (i.e. the private key can't be exported off the computer) and/or store them on USB cryptotokens (not USB flash memory but cryptotokens) from where the private keys can't be extracted. – Eugene Mayevski 'Callback Mar 11 '13 at 20:15
0

Like @Eric said, it might work fine. Plus, you can self issue a certificate, it doesn't have to be purchased. The only difference is you will get the "Certificate Authority" warning when using it for the first time in a browser.

But a self-issued certificate might be a simple fix.

fizzy drink
  • 682
  • 8
  • 21