PHP, Javascript, ActiveX, Headaches

Question

I need to reliably get the id of a user from the PC using PHP.

I tried using

gethostbyaddr($_SERVER['REMOTE_ADDR']);

but that returns the network name of the pc, not what they actually logged in with.

I then tried

var WshShell = new ActiveXObject('WScript.Network');
document.form1.item('uid').value = WshShell.UserName;

which returned the value I needed, but has inherent issues:

browser security
being able to completely bypass by using browsers other than IE

Is there a way to get the ID that I am just not finding?

I don't believe this is possible in PHP considering its a Server Side Language. — Alex, Nov 04 '10 at 16:20
My first question would be. Why are you trying to get this. Maybe theres some other solution we can help you come up with? — castis, Nov 04 '10 at 16:22
@Alex I believe you could if you made a system call, but I agree there is probably a better way. @Castis makes a good point, "why". @JustinY17 if you're trying to create a system management tool, bear in mind that Microsoft has at least three types of user model, so you would have to affect the correct one. Additionally, why would you run a process as a superuser? — jcolebrand, Nov 04 '10 at 16:26
i am building a website that allows me (and others) to make changes to a mysql db, but currently is only setup to login with one ID. i want to be able to differentiate between users making changes to the db, and log what they are doing. — JuggernautDad, Nov 04 '10 at 16:27
in that case i would build a simple login. users can change anything they want about their computer. 1st rule of web application design: always assume that every user is out to get you all the time. However, if you really wanted to stick with your route. Find a way to get the users mac address. That would be the least likely to change but will also change if the user changes computers. — castis, Nov 04 '10 at 16:29
in my environment that could change daily... i really need a dynamic answer — JuggernautDad, Nov 04 '10 at 16:34

score 2 · Accepted Answer · edited May 23 '17 at 12:29

Looking at the discussion in the comments, the correct answer is to build a proper, run-off-the-mill login system like millions of sites already employ.

There is no safe mechanism to uniquely identify a PC to a server side application, plus as you say, users could switch machines on a daily basis.

You could set a cookie, but that is laughably trivial to fake.

See e.g. here for some good answers on authentication libraries for PHP.

bcosca · Answer 2 · 2010-11-04T16:42:26.490

0

If you have a single-signon type of system running on Windows Active Directory, consider getting user data via LDAP

edited Nov 04 '10 at 16:42

answered Nov 04 '10 at 16:37

bcosca

17,371
5
40
51

how did you get the data using php? – JuggernautDad Nov 04 '10 at 16:45
check the link to the PHP documentation. there are a lot of examples there, specially ldap_connect(). – bcosca Nov 04 '10 at 16:47

score 0 · Answer 3 · answered Nov 04 '10 at 16:41

You can figure out all sort of client-side tricks which will possibly work in some combinations of operating system and browser. But, in the end, everything will be transmitted to the server using good old HTTP. That's all that the server (the only side you have full control on) will receive: a bunch of text. There's no way to tell out whether the request came from your fancy ActiveX or was typed in a telnet command prompt.

Of course, there are ways to authenticate requests. That's one of the usages of cryptography. But, again, all you'll ever know is whether the signature was generated with the appropriate key. You cannot be sure of who the user is or what computer he's using, all you know is that it's someone who got a copy of the key.

Now, it's really complicate to build a login system that does not have its own users. As far as I know, even OpenID-based systems bind remote users to local users. Are you sure it's a requisite?

PHP, Javascript, ActiveX, Headaches

3 Answers3