0

I've got a web application which can be used for individual peoples (one account for one person) and for places such as schools (one account per computer). I would like to make sure that the schools accounts can only be logged in from the said school.

I've tried an IP filter which isn't appropriate as they have a dynamic IP (it changes every day or each time they reboot their ISP box). The MAC address is not an option since it's not readable by PHP and not conserved between packets hops.

So here is my question, how may I make sure that the schools accounts are used from and only from the school ? Maybe something that I have to install on each trusted computer and which can't be cleaned without paying attention ?

natinusala
  • 596
  • 5
  • 21

2 Answers2

2

Go with the IP address. Solve the dynamic ip address problem by installing a small script that will ping your server once per 5 minutes and you will get the current school's ip address by this.

Martin Gottweis
  • 2,721
  • 13
  • 27
  • That is a good solution, I'll ask if the school has a server on which they could install such a script – natinusala Jun 06 '16 at 11:44
  • Nicest would be to get a raspberry pi, install the pinger and just plug it in next to a router. That way they won't need to install anything and your solution will work even if they replace/turnoff all computers – Martin Gottweis Jun 06 '16 at 11:45
  • 1
    I like that but it will involve additional costs. They certainly have a server somewhere in their facility, I'll ask for it – natinusala Jun 06 '16 at 11:46
  • Still waiting for an answer to see if they can deploy such a script – natinusala Jun 08 '16 at 14:25
-1

The simplest solution would be to use cookies. However, cookies are super easy to read and transfer by the user if he knows how.

A bit more complicated solution would be to make an browser plugin that adds some HTTP header to every request, which would need to be installed on every 'trusted' computer. To falsificate this one it would take a bit more computer skill.

Another solution would be to install secure VPN on trusted computers and make website accessible only through this VPN.

The most sophisticated solution would be to implement some browser-fingerprinting library. That is when website collects all available informations about the browser and machine it runs on (available HTTP headers, available system fonts, how the machine handles decimal point arithmetics etc)

David162795
  • 1,846
  • 3
  • 15
  • 20
  • Cookies can be cleaned quite easily, breaking the authentication. I thought about the browser plugin, but it's browser-dependent. I'll go for the browser plugin if they can't install the ping script (see anwser above) – natinusala Jun 06 '16 at 11:47