0

I want to implement an authenticated server to accept request from command prompt also. User can get authenticated token with his username and password.

so problem is when he have that token he can raise further request from any machine with that token. i want to restrict the token for single machine. so any idea how to restrict it?

i have something in my mind

  • With IP and Port Number (I hope it is not a suitable solution Because change of IP is easy)
Kartheek
  • 281
  • 1
  • 6
  • 21

1 Answers1

0

With IP and Port Number (I hope it is not a suitable solution Because change of IP is easy)

IP and Port Number doesn't work. If a user is behind a route with local IP address, same IP address will be sharing with other users.

Validate with some Vendor Id or Org Id (i thought it is also not an optimal solution).

I don't know about that.

I am thinking it is possible with machine key. How to get Machine key with Request?

Do you mean mac address? Get the MAC of ASP.NET website user

Solution

The first thing I'll try is to set cookieless="AutoDetect". If it doesn't work, then I'll find alternative solution. 

<forms cookieless="AutoDetect" ... />

It basically embedded SessionID in url if a user doesn't support cookie.

Update 9/14/2013

so problem is when he have that token he can raise further request from any machine with that token. i want to restrict the token for single machine. so any idea how to restrict it?

User can copy his AuthenticationToken, and browses your site with same AuthenticationToken from other browsers. Why he want to do that although he can? It is like he sneaks into his own house although he has a key.

By default, AuthenticationToken can only be accessible from same browser from same domain (unless you modify it). As long as you are using HTTPS, AuthenticationToken cannot be hiked jack easily (unless the user's computer is hacked). It is not worth spending times restricting AuthenticationToken by IP.

Community
  • 1
  • 1
Win
  • 61,100
  • 13
  • 102
  • 181
  • I updated the answer. Please do not alter the question otherwise my answer and your question won't match anymore. – Win Sep 17 '13 at 14:31
  • Here i am not going to make a request from Browser. just i am going to raise a request from command prompt to get token. with that token i can get some other user info. so user can go with any machine and raise further request. of course it happens only if the user is a hacker. but i want to protect that scenario also. – Kartheek Sep 18 '13 at 01:51
  • When a user requests from command prompt with a correct credential, you return a token. Then he uses that token on other machine and request again. ***That token is his, and he is accessing his account ONLY. Everything is legit to me.*** It will be like accessing hotmail account from iPad, iPhone and Notebook at the same time. What is your concern? I don't get it. – Win Sep 18 '13 at 04:33
  • Yes you are right. i am proceeding with that. But if i want to restrict it. is there any way to do it ? – Kartheek Sep 22 '13 at 05:54
  • MAC address is the only way to differentiate in your scenario. In order to achieve it reliably you need ActiveX, Java or ARP. I personally haven't tried it. Good luck! – Win Sep 22 '13 at 15:10