I'm currently working on ways to restrict access to the company's website. Depending on the user that is logging in, and where the user is trying to login, the site should not open. For example, there is a user-role here that should only access the site from within the company.
The method I'm using to validate the user is check the his/hers public IP address against a table of previously allowed IP adressess, but since this IP address is dynamic, every single time it changes I have to manually allow it again. I'm looking for other ways to detect if the user is within the company, so I can allow it to proceed with the login, but I'm out of ideas.
I've thought about checking if the user is within the company's network, but I don't know if I can do that in PHP. I've also thought about looking for the IP range, but my knowledge about it is quite limited, so I don't believe I can come
with a reliable solution based on this.
What else can I do about this?
The site is currently running Symfony 4 and is hosted on Azure, if that matters.
As it turns out, most of options that I've found where either out of question because of some requirements that I can't meet of beacuse they don't apply to my situation here.
We did found one solution here: since we have two dedicated internet links, we've routed all outgoing traffic to our website to one of those links. Since they're dedicated and have static IP addresses, all we had to do was add a rule to allow the link's IP.
Problem solved.
Related
I'm trying to build an intranet type site for a client using WordPress as the base. Instead of having users sign in, they just want to restrict users by IP address. They also want certain sets of IPs to be able to only access certain sections of the site.
So, I was wondering if there were any plugins or anything that addressed this type of setup already? I'm trying to not do this from scratch if I can help it.
Any input would be appreciated.
You can consider the free IP2Location Country Block WordPress Plugin.
https://wordpress.org/plugins/ip2location-country-blocker/
It can restrict visitors by IP address block (country).
I have a hybrid WordPress plugin that fetches all data using curl from the main server. Let's call it A.
B is the client that requests for data and also can send data to A.
Now every request is encrypted and authenticated using a API access keys.
But the problem here is if I copy the plugin from B to a new client site C, the moment I use the same access keys etc. the plugin starts working.
I want to be able to restrict the access of one API access key to one domain name. How can I attain that?
I'd say to include the allowed host's IP address (B) in your access key administration.
So: when B does a call, you can validate the key and the IP it's calling from.
On A, you can use something like $_SERVER['REMOTE_ADDR'] to test the IP calling the script.
Two downsides: when sites move servers, the plugin will stop working. And of course, people can still spoof their IP, so there is a way to get around this, but at least you make it a lot more complicated and probably not worth the hassle for most cases.
A suggestion by TJHX
Make it part of the license you give your customers. The honest ones will follow it, the dishonest ones will find a way to break your DRM. This is a problem technology can't really solve confidently, especially when with things like wordpress people can just see your code - By TJHX
I have also looked into a lot of options but the mere fact is that the user always has access to the code in the wordpress plugin and can easily make amendments to the CURL request Headers even if you encrypt it.
All we can do it add it in our Licenses.
In my plugin, there are iframes that will be loading the data on the frontend so I am going to accept the domain name when the user buys the plugin and will check the referrers to my iframe to sort this issue out.
Thanks a lot guys for your help.
I am looking for a solution for my project but I don't know if I chose a correct title for my question, so I should apologise everybody if it doesn't seem relevant somehow.
I have an application written by PHP which is like this: http://app.mysite.com.
What is happening in this app is that customers come and open an account for themselves. They will use this application to get in touch with their own clients in this way that they register their clients in this application and they can communicate with them. So it is somehow important that after their signup for the service, their company's name be shown in the address bar like this: http://TheirFrimName.mysite.com so their clients can identify that they are connecting to the correct path.
What I am looking for is to find a solution that I have only my application under app.mysite.com and when a client signs up, it creates a subdomain with their firm's name and then it redirects to my application path, but the address in address bar should remain with their subdomain address like TheirFirmName.mysite.com.
I don't want to stick to this idea, so if somebody has a better solution I appreciate if they want to share with me, otherwise, I humbly ask people who know how to perform what is in my mind.
The title should be pretty clear, but consider this scenario:
User bobbyflay registers an account on my SAAS app
I would like for the URL bobbyflay.myapp.com to direct him to a customer-specifi login page.
I'm developing on CodeIgniter 2.0.2 for what it's worth. Is there a better way than modifying the routes.php config file every time a new account is created?
You can create a wildcard record in your DNS that resolves all *. DNS lookups to a single IP address, then identify the specific subscriber using the Host header sent from the browser.
EDIT: see http://en.wikipedia.org/wiki/Wildcard_DNS_record for more detail.
This is exactly the article you're looking for.
Note it is written for an older version of CI but the methodology should be intact.
If you plan to implement this, at least consider disabling it via options; either "profile exists" or "profile not exists, hidden or disabled" messages should appear at accessing the subdomain - else your client's security/privacy may be harmed.
I am a web developer and I want to design a commercial website to sell a customer's product. Sell and buy activities are important and I need to maintain user activity information to keep the site secure.
I want to write a dynamic website. I want to control all user activity and then decide whether to save user activity information in a database. Some of site's visitors are registered users and some are anonymous. I want to save online information such as ip address, username, page name, and date/time for my registered users.
I want to know:
How do I save a user's IP address?
What more do I need to save?
Saving each HTTP request details into database will work for low traffic web sites, but you will have performance issues in case of popular website, since writing to database in relatively slow operation.
Why not to use server HTTP logs instead?
All HTTP web servers create plain text log files which record remote user IP address, URL requested, etc. You can create activity report by writing your own script or using log file report tools. AWStats ( http://awstats.sourceforge.net/ ) is one of the most popular open-source tools for this.
On client side you can use Google Analytics to track user activity. It also provides means to track custom events:
_gaq.push(['_trackEvent', 'login', 'user_login', "custom data"]);
More info at: http://code.google.com/apis/analytics/docs/tracking/asyncUsageGuide.html
This option only tracks users with JavaScript enabled, so it won't show bots, crawlers or users having analytics blocking addons installed.
I'm not sure I understand all of your question...but to address at least one aspect of it, if the user is behind a proxy, then you have no way of determining what their real IP is. That's the whole point. The proxy is the one making the request and then forwarding it. Without asking the proxy yourself, you cannot determine that. With regards to what else you need to save, it depends entirely on what you want to do and you haven't done a good job of explaining why you are saving this data. If you can clarify that, perhaps we can help you a bit more in determining what data you should be saving.
Edit To address your clarification, if you wanted to be crazy, you could log everything that a person does. Every link they click, every product they view, etc. I don't necessarily advocate that as I find it a bit creepy, but there are definitely sites that do it. At the bare minimum, I would suggest logging what products people look at and then what products they buy. I would also log that information on a per-session basis. Basically, what products do people look at and then end up buying on the same trip to your store. I wouldn't worry too much about the "real" IP address. Most people won't be behind a proxy and those that are, you can't do anything about anyway.
How do I save a user's IP address?
$_SERVER['REMOTE_ADDR']
What more do I need to save?
That's quite strange question. It's your application, not someone's else. How can we guess what information you need?
However, at least one issue I can point out: a page name is not sufficient to log "all user activity". Query string and POST data usually contains important details on that activity.