5

I need to make sure that every users accessing my web application can do that from one machine only, so 100 users would mean 100 machines. What would be the best solution? Is detecting and storing IP during first login good idea? I think IP might change even during lifetime of the session is that right? I was also thinking of storing cookie when user first logs in. Then assigning these cookie to the user, same as I do with password and username already, and every time when accessing application checking for presence of that cookie.

Please let me know what in your opinion would be the best solution. My backend is php/mysql if that matters.

EDIT: I need to clarify... This is in addition to normal session management. I need to restrict users to be able to login to web application from one specific machine only. So if user originally logged in from his computer at work and I stored its ip/cookie/etc., then client logs out (or even not), goes home and tries to login won't be able to do that. I agree its horrible idea but client insists :)

spirytus
  • 10,726
  • 14
  • 61
  • 75
  • Added the PHP and MySQL tags. – mcandre Jul 06 '10 at 18:53
  • The IP is not a good solution - multiple computers can be behind a router, so they'd all have the same IP when accessing your site. – OMG Ponies Jul 06 '10 at 18:57
  • Why do you want to build in this restriction? I use several machines to visit several sites, I would be really offended if you didn't allow me to visit your site from other computers, too. Perhaps related: [Creating a PHP web app to allow users to vote on submissions - How can I minimize abuse](http://stackoverflow.com/questions/2602702/creating-a-php-web-app-to-allow-users-to-vote-on-submissions-how-can-i-minimize)? – Marcel Korpel Jul 06 '10 at 19:12
  • @Marcel Korpel: I remember having to deal with users editing the same page, but from two different browser windows... – OMG Ponies Jul 06 '10 at 19:30

6 Answers6

7

IP address might change in the case of mobile clients, or clients that switch between wired and wireless networks. Your best bet would probably be to provide a randomly-generated UID to each client when it first connects (if it doesn't already have the cookie). Then you can check that the same username isn't connecting using two different UIDs.

The trick is that you need to make sure to time this UID out, so that if the user goes to another computer they aren't locked out. Perhaps one change to the UID is okay, but they can't go back to a UID that's already been used?

Curtis
  • 3,931
  • 1
  • 19
  • 26
2

You can limit to a single useragent by issuing the client with a client side SSL certificate created with the keygen element, this gets the browser to generate a key pair, keeping the private key in the user agent, then you receive an SPKAC, which you can use to openssl create a certificate, which you then send back to the user agent, it installs it and it can be used to identify the user in that specific browser only via HTTP+TLS from then on.

Anything else, simply won't work 100% - although you can hack ways that appear to work (until something goes wrong and it doesn't work) :)

nathan
  • 5,402
  • 1
  • 22
  • 18
0

The best solution is already built into the web server depending on which one you are using. That's what the Sessions are for. In ASP.NET/IIS, usually there is a 20minutes per session timeout.

So if a user uses another computer to access your webapplication, then the session timeout will release connection from the machine that is idle.

UPDATE

You might want to consider restricting user by the MAC Address of their machines which are unique.

SoftwareGeek
  • 15,234
  • 19
  • 61
  • 78
0

Unfortunately, an IP is not machine-specific for multiple reasons:

  1. The IP address could change during the session, with no notice (the user might not even be aware of it)
  2. Most users have dynamic IP, so it most definitely will change at some point
  3. For machines such as a laptop, tablet or cell phone, the IP address is based on the current service provider
  4. All users behind a proxy would appear to you as a single IP, so you still wouldn't be able to detect if they moved from one machine to another

Instead, generate some kind of unique key for the session and track it in combination with the user name. Prevent them from logging in if the same user name is already in another active session. (You'll also want some way to automatically flush these, just in case you lose the session-end event.)

GalacticCowboy
  • 11,663
  • 2
  • 41
  • 66
  • This could be an internally based application. If it's a system running on a single domain. The IPs will be more predictable but still not unique (depending on the lease the IPs get) – Brendan Bullen Jul 06 '10 at 21:47
0

If it is a very internal application that will be used only inside a company, it might be possible to define an IP range because smaller companies which do not operate worldwide will probably have a certain amount of IPs from their internet access provider.

You could also think about using some info from $_SERVER to restrict users to a combnation of a single web browser (HTTP_USER_AGENT) and a single port (REMOTE_PORT) - as an additional way to differentiate machines.

But all these solutions are bad or worse, it's technically probably not possible to solve this problem (unless you will have guarantees from your client that all machines will keep a static IP in which case it is a trivial if else problem).

Richard Knop
  • 81,041
  • 149
  • 392
  • 552
-4

Don't do that. Many people will access your website from multiple computers, and they will complain if you block them.

mcandre
  • 22,868
  • 20
  • 88
  • 147
  • Yes, why in the heck would you do this...?? – Zak Jul 06 '10 at 20:03
  • 3
    I think sometimes, even if you don't agree with what they're asking for, you've got to assume there are reasons. In this case, it's stated that it's a Client's request (via an edit). The question isn't whether or not they should, it's how they could do it. Plus, it's an interesting one to think about. It defies the very concept of web based applications in some regards (defying the distributed nature by restricting individual users to individual machines) but it at least could be an interesting challenge – Brendan Bullen Jul 06 '10 at 21:44
  • If a client asked how best to jump off a bridge, should I post "using your feet?" – mcandre Jul 07 '10 at 13:09
  • 2
    There's a difference between a discussion with a Client and a developer simply relaying a Client's wishes. If a Client is hell-bent on doing something crazy and is paying the developer to do it, why shouldn't he reach out and ask "How?" – Brendan Bullen Jul 07 '10 at 22:03
  • 2
    Asking questions here is part of my research so I could explain to client all possible implications. As I said I agree its horrible idea but "don't do that" is very unlikely to help my cause. Also see no reason why client would ever ask me how to best jump off the bridge. – spirytus Jul 11 '10 at 23:19
  • Haha! No, of course they wouldn't--if they understood how restricting access to one machine is like jumping off a bridge. – mcandre Jul 12 '10 at 16:12
  • -1 Maybe the business owner doesn't *want* many people to access the site from multiple computers. I want all the users of my admin system to have access to it from any location, but only when using their work laptop (which I know doesn't have any malware installed on it). – Dan Blows Dec 15 '12 at 13:34
  • In this platform, we do not follow business rules. we are trying to make a better solution to solve a problem. – Matt Qafouri Jan 18 '21 at 12:52