I have a small web function that should run only when the user is in the office . But the problem is that our internet provider changes its IP regularly and i cant keep track of it. We have windows 7 systems in our office and they dont have any static IP. I cant even set a static IP as it will hamper the internet provider settings and will stop connecting to internet. Im stuck now. Is there a way with which i can make sure that a person is in office only when he is using that function?
The surest way is to ID using MAC adresse since IP can be changed, MAC address is harder to spoof and does not change. It is the "serial number" of the network card. So unless they take the card home, they won't be able to access it. Have a read at
this post
You could use dyndns to get the current ip.
Dynamic dns allows ypou to redirrect a host name to a dynamic ip.
So if you get a request from a unkown ip or more then x seconds have passed since the last request you can use gethostbyname to retrive the offic ip.
Free Dynamic DNS:
http://www.dnsdynamic.org/
Getting the IP:
$ip = gethostbyname('http://sample.dnsdynamic.org/');
One way to do it would be to set up the server so it exposes 2 services - 'A' with the "special office-only function" available, and 'B' without.
Then, set up the network security so that Service A is only accessible over a VPN tunnel from your office.
--
An alternative approach might be to use PKI - get the office computers installed with certificates that are required to access the Service A functionality. However, while complicated, it is still possible for users with sufficient authority and knowledge to copy the certificate and install it at home.
If your users aren't nerds, you can set a special cookie in the office computers, and check against that every time the user accesses the application.
(If your users know to to set and unset cookies, that would fail, as they would simply copy this behavior to their home).
Also, there should still be a specific range of IPs when connecting from the office (even if the IP changes), sample a few IPs and check for a recurring pattern.
Provide your office user with some kind of token, after they authorize. Then use the token to determine if access is granted or not.
The token can be stored in a cookie on the the office users computer, so authorization is done only once.
If you have an access to office network - you may try to config your server, which gives an access to the internet, so it will add some token (cookie?) to all requests (sent to your server). And you will check it in your code.
Related
I want to get the Client Ip with PHP.I allready known that i can get the Ip with $_SERVER['REMOTE_ADDR'];. But when i post this value in an Database or remember this IP, next day the client adresse is something else and not the same which yesterday.
I allready tried to work with $_SERVER['REMOTE_ADDR']; but the Ip change every day
Yes, IPs change. That’s the nature of most residential internet connections. Only a comparatively small number of connections have static IPs. IP addresses are an implementation detail of a data routing mechanism, they’re not permanent or unique identifiers.
The person controlling the HTTP client would need to run it through an Internet connection with a static IP address. To get one they would need to either use an Internet Service Provider that provides static IP addresses by default or one which provides them as an optional extra (and then take that option).
Then they would have to ensure they didn't use a different Internet connection to make a request in the future (e.g. by using their laptop in a coffee shop instead of at home, or connecting from their phone while connected via cellular broadband).
They could also use a proxy server that was connected using a static ip. The requests would be relayed via the proxy and that its IP address would be used to connect to the server running the PHP.
I have a PHP application running on wamp3. I have being able to enable people of my local network getting access to the application while typing 192.168.2.22/myapps. I'm looking how to make them instead type www.myapps.dev for to get access to the application.
French speaking to... but answer will be in English ;)
So, in order to access a server, you need its IP.
First way to access
Like you already do, directly through the IP
Common way to access
The user is calling a DNS name which is translated by an IP using a DNS server. Using this technique will imply technical abilities in server management and networking.
Developer way
The user configures the specified host on his terminal. On Linux and Android, you can update /etc/hosts file in order to add IP / DNS correlations. You may find "Hosts editor" application in Play Store.
Note that this technique won't be available for iOS users.
I've got a web application which can be used for individual peoples (one account for one person) and for places such as schools (one account per computer). I would like to make sure that the schools accounts can only be logged in from the said school.
I've tried an IP filter which isn't appropriate as they have a dynamic IP (it changes every day or each time they reboot their ISP box). The MAC address is not an option since it's not readable by PHP and not conserved between packets hops.
So here is my question, how may I make sure that the schools accounts are used from and only from the school ? Maybe something that I have to install on each trusted computer and which can't be cleaned without paying attention ?
Go with the IP address. Solve the dynamic ip address problem by installing a small script that will ping your server once per 5 minutes and you will get the current school's ip address by this.
The simplest solution would be to use cookies. However, cookies are super easy to read and transfer by the user if he knows how.
A bit more complicated solution would be to make an browser plugin that adds some HTTP header to every request, which would need to be installed on every 'trusted' computer. To falsificate this one it would take a bit more computer skill.
Another solution would be to install secure VPN on trusted computers and make website accessible only through this VPN.
The most sophisticated solution would be to implement some browser-fingerprinting library. That is when website collects all available informations about the browser and machine it runs on (available HTTP headers, available system fonts, how the machine handles decimal point arithmetics etc)
Note: This is a logic/security question, not really a 'how to' for PHP.
First the background...
I want to restrict access to a company INTRAnet website to only people who are using a company computer (Windows or Linux) and who are connected to our company network 'in office' or remote via VPN.
At the moment users log in with their company userid and password, which are authenticated via LDAP, for every session. I want to make life a little easier for them and allow them to use a 'remember me' option at login and then store some information in a cookie.
The information I thought of putting in the cookie is their username and either the client IP address or client MAC address and setting an expiry of 30 days for example. On a subsequent login then existence of this cookie indicates a valid user and valid client are being used, so no need to login again (pass-through).
Now the question(s)...
Is it the case, that a system call from PHP will only return an IP or MAC address if the client is authorized on and connected to our corporate network? If this is true then by reverse logic, getting a null return value from one or both of these addresses means the client computer is not authorized to connect to our corporate network - is that correct? Is there a better way (more secure way without having users forced to log in each session) of solving this?
Thanks in advance.
A MAC is only available on the same subnet; if your intranet is a little more expansive it will probably have routing internally, especially if VPNs are involved as well. So there's no reliable way to get the MAC address of the client, no.
The IP is bound to change very likely as clients go online and offline, so an IP is useless as well.
Really, if your concern is that the application should only be accessed via the intranet, the best way to ensure that is to configure the intranet/server to only be physically accessibly via the intranet. If the network won't route external requests to the server, then there's no way anyone from outside could access the server/application. Worrying about this in application code is the wrong place.
You can easily get mac address of the client by using php exec("getmac /fo csv"); on windows and then use this string to authenticate the user.
Thanks
I'm a user of a certain forum, but recently my IP adress has been being blocked.That's not my fault but some users probalbly broke the rule and his ISP or IP address is same or close to mine, so I was enmeshed.
I rent a web server, so now I try to post comments to the forum from my server, but it fails.
When I post a comment using a form in the site, the error says that the referer was wrong.
I tried header() function using PHP but it doesn't work.
I tries to change referer but still it doesn't work.
I think if I could have a client in my web server, the IP and host change in posting comments, without changing referer information.But I don't know how to do this.
The restriction is temporary, maybe a few weeks, so I don't necessarily need a perfect and permanent solution.
Is there any ways to solve this problem?
If they're blocking you based on IP address, then it's the web IP address of your local network that they're blocking. If they've decided to block a range of IPs then you have a larger problem depending on your host.
A few things you can try:
Chances are (unless this is a work account) that you're using a dynamic ip address from your host. A lot of work accounts use a dynamic IP too, but you would need access to the modem (since you're probably not the corporate network administrator). Sometimes to get a new IP address from a completely different range by unplugging your cable or DSL modem and plugging it back in after about 30 seconds. Most electronics clear instantaneously (unless they have an onboard battery backup), but in the case of network components they purposely build in a few seconds of wait time in DHCP servers before providing a completely different IP address. Usually when I'm having a problem on my local network or doing an upgrade and unplug my modem after about 10 minutes of work when I plug my modem back in I have a new IP so I have to go through all of the trouble of re-whitelisting myself everywhere (so I know this works).
You could try connecting to the boards through your cell phone if you can tether your cell phone to your workstation or desktop. This will provide you with an IP address through the cell phone carrier's network (Note: it might violate the TOS).
You could do as #Bergi suggested and use a proxy. Some web browsers (like Opera) allow you to specify a proxy in the browser without forcing all of your desktop traffic to a different network. You can obtain a proxy server address from several resources, but this is one of my favorites. Be sure to use an HTTPS proxy in order to have the best defense against someone packet filtering and catching your credentials. People can still capture the initial handshake for SSL and decrypt your communications (so make sure this is what you want to do.)
You can try to force inject headers into the message board and make your server post for you. Good forum software will check the referrer and the user_agent to see if you are a "real person" (however real the programmer felt you needed to prove). If there is a CAPTCHA you will need to be able to see the image, hear the sound, or use a plug-in to break it. (This will require research). Chances are your web server is using a static IP, so there is nothing to prevent the board from blocking this one as well. (You will not be able to change it.) If the web host has strict guidelines about using their servers for this sort of thing it might *cost you your account*. I will not provide an example for this on this board. But you can check out a book called WebBots, Spiders, and Screen Scrapers.