We Keep Coding

How to restrict website accessing, if user is on remote device and not on a work computer? (work time tracker app)

I would like to make a PHP website, where employees can log in/out themselves and these logs will count as a time when they started and ended their working day. I would like to allow them to do that only on their work computer and not for example on their phone while they are still on the way, but they want to avoid "being late".
So I'm struggling with a few ideas, but any of them seems to be the right solution.
Allow using the website only for specific IP addresses. But then I realized that in our place IP address is dynamic and changing it for static costs too much in our area.
Check user location. But then I saw that when I'm checking my public IP address, the location is completely wrong! Our building isn't even close to the loaded area.
Using a COOKIE/token on a work computer. But it's very easy to set the same cookie on your own device and I'm not the only IT employee here.
Checking MAC address. As I read here it's possible only in specific cases.
Block access for mobiles. But detecting a mobile is based on browser and if the user click "Request Desktop Site" scripts will say that's a computer.
Is there another method, which I can use to achieve my goal? Am I missing something?
May I bind my app for example with some other technologies that will allow me to do that? Or maybe I should try a combination of all of them?
I couldn't find any script, which would take care of that. In the worst case it doesn't have to be "perfectly secure", but I would like to be it at least hard, annoying, or time-consuming to try to "cheat" in this system.

I would run your app in the office LAN. Nobody will be able to access it from outside except if they can do remote desktop to the office computer or if they have VPN. But if you are in the IT team you may could fix IP ranges for the office computers so that you could exclude the VPN.
In terms of security, in any case it may be better having it running in your LAN. I'm sure you've got a server somewhere and if it's not the case then you could use a NAS (Synology offers NGINX, Apache, PHP and much more) or a little Rasperry Pie or something similar.
If you haven't got a fixed IP, you could also use DynDNS and have it mapped to a sub-domain such as company-name.dyndns.org and then on your PHP app you could have a cron job that gets the IP address from the domain name and updates it every minutes (I'm sure it's quickly run). It could then store it inside a config file, this way:
<?php
define('ALLOWED_IP_FILE', 'allowed-ips.inc.php');
$ALLOWED_DOMAINS = [
'your-company.dyndns.org',
'you-at-home.dyndns.org',
];
$allowed_ips = [];
foreach ($ALLOWED_DOMAINS as $allowed_domain) {
$ip = gethostbyname($allowed_domain);
if ($ip !== $allowed_domain) {
// Store with the IP in the key and value for ease when checking the IP validity.
$allowed_ips[$ip] = $ip;
} else {
fprintf(STDERR, "ERROR: Could not find the IP of $allowed_domain!\n");
}
}
$allowed_ips_export = var_export($allowed_ips, true);
$config_file_content = <<<END_OF_CONFIG
<?php
// Don't edit! This config file is generated by cron-ip-address.php.
\$ALLOWED_IPS = $allowed_ips_export;
END_OF_CONFIG;
if (file_put_contents(ALLOWED_IP_FILE, $config_file_content) === false) {
fprintf(STDERR, 'ERROR: Could not write config file ' . ALLOWED_IP_FILE . "\n");
}
This generates a config file to include in your app. Example of content generated if you run the script I wrote above:
<?php
// Don't edit! This config file is generated by cron-ip-address.php.
$ALLOWED_IPS = array (
'142.250.203.99' => '142.250.203.99',
'23.201.250.169' => '23.201.250.169',
);
Now, in your app, just include it and test the presence of the IP in the $ALLOWED_IPS array:
<?php
include ALLOWED_IP_FILE; // If this is declared in a common config file.
// include 'allowed-ips.inc.php'; // If you haven't got a common config file.
if (!isset($ALLOWED_IPS[$_SERVER['REMOTE_ADDR']])) {
http_response_code(403);
die('Sorry, you cannot access it from here.');
}

Ideally, if what you actually want to track is when employees are in the workplace and logged on / for how long, it would be probably better to just track local machine-logins via a domain controller - a method reachable from the internet is suboptimal exactly for the reasons you mentioned.
If you have an intranet which users cannot tunnel into but can access from their work machines, I'd say hosting your login-page only inside that intranet is the easiest way to achieve what you want with the methods you suggest.
Alternatively, if employee work-machines use windows under a domain controller - you can restrict access to Windows certificate-storage, then install/push a certificate and require that to be present via your server-configuration. In that case, it doesn't matter if the website is accessible from the internet. I'm sure there are similar solutions if work-machines are not on Windows.
This admittely old question gives some pointers in the right direction on how to require client certificates from a Webserver (IIS in that case).

CF_IPCountry header to all requests in Drupal

I'm starting a blog in Drupal and using Cloudflare DNS. They act as a 'proxy' and all my visitors have their ip. They offer an IP Geolocation option to show real users IP:
Once enabled, we will then add a header called "CF-IPCountry" to all requests we make to your website. Here are a couple of examples of how to access/store this value:
$country_code = $_SERVER["HTTP_CF_IPCOUNTRY"]; // to access in PHP
$country_code = $ENV{"HTTP_CF_IPCOUNTRY"}; # to access in Perl
The question is: how can I use this?
I'm a html/css/js person and making now my first steps into php. I searched this last two days and didn't found a single example how to implement this option. I tried this in the "template.php" file:
function TEMPLATE_drupal_add_http_header() {
$country_code = $_SERVER["HTTP_CF_IPCOUNTRY"];
}
But nothing happens and ip's still from Cloudflare. Can anyone help here? Is it so simple that it doesn't need any explanations (hence I didn't found one)?
Thank you.

Do you have something like the Drupal plugin installed or something like mod_cloudflare?

PHP domain name verify

This is an another topic about domain name verify. I read answers in other topics. I tried several scripts. I don't want to use an API. Unless there is a free API but I not yet found one.
I tried to check the DNS following code:
if($_POST['submit']){
if(!empty($_POST['check_site'])){
$url = $_POST['check_site'];
//add .nl
if(!strpos($url,'.nl')){
$url.= '.nl';
}
//check dns record
$result = dns_get_record($url);
if(count($result) > 0)
{
echo $url. ' is used';
}else{
echo $url. ' is free';
}
}
}
The problem is when I try to check "example.nl" (A registred but inactive domain) it don't give DNS data back so I validate is as free domain.
My questions are:
Does anyone a fix?
Does anyone have a suggestion (link to other script/article)
Is there a way to check if a site have a registrar.
I'm still a student but this is not a school project.
Live code on : link
I am checking the answers, thanks in advance
Edit:
When I try to
shell_exec (whois -h whois.domain-registry.nl 'is example.nl');
I get a unexpected T_String error. What is the correct way to use this?

If your PHP installation has rights to execute the whois command line utility commonly found on UNIX-based server, you could get your information from the following command:
whois -h whois.domain-registry.nl 'is example.nl'
This command is taken from this SIDN page, under 'Is'. You must check whether you can do this more than 15 times a day from one IP address, because you also can't do that for the more complete whois (without 'is'). You also seem to be restricted to one request per second.

I think PHP functions checks if site is assigned to an IP address or not. That is why inactive domains are identified as free!
Anyway you can check your code again with checkdnsrr() of PHP.
If it does not works, there is an extension for this purpose. I think it is free.

Parse email sent from Outlook piped to php

Using this tut: parse emails
I was able to get email piping, and attachment/body parsing totally working....as long as the email is not sent from outlook.
It executes perfectly from gmail, and thunderbird, however when the incoming email is sent from outlook the script fails. I figure it has something to do with how outlook formats its messages (in the comments on the tutorial site someone mentions outlook not being compliant), but truthfully the issue is above my head. Any help would be appreciated, thanks.
fyi: this is the newest version of outlook (win7).

As you have encountered, Outlook is the scourge of the email universe. You'll notice that the source provided in the tutorial you're using refers several times to content encoded as text/plain. The email being sent from Outlook likely contains text/html content instead of or in addition to the plaintext.
Depending on what you wish to do with the content of the email, you may be able to adapt the script to accept text/html encoded content as well by inserting a duplicate body search below the existing one like so:
//get the message body
if(substr($decoded[0]['Headers']['content-type:'],0,strlen('text/html')) == 'text/html' && isset($decoded[0]['Body'])){
$body = $decoded[0]['Body'];
} elseif(substr($decoded[0]['Parts'][0]['Headers']['content-type:'],0,strlen('text/html')) == 'text/html' && isset($decoded[0]['Parts'][0]['Body'])) {
$body = $decoded[0]['Parts'][0]['Body'];
} elseif(substr($decoded[0]['Parts'][0]['Parts'][0]['Headers']['content-type:'],0,strlen('text/html')) == 'text/html' && isset($decoded[0]['Parts'][0]['Parts'][0]['Body'])) {
$body = $decoded[0]['Parts'][0]['Parts'][0]['Body'];
}
Which certainly isn't pretty, but should retrieve the HTML content coming from Outlook if it is detected.
If you need to actually parse the HTML content, your problem will be a bit more complicated. Your next step would be to take a look at some of the answers for this question: Robust, Mature HTML Parser for PHP.
Good luck!

Ok...
So I fixed it. I was setting up the pipe in Cpanel, because it's easier. I put the pipe under "account level filtering", worked great for anything but outlook. I would have loved to have the script print data for debug, but it was never even executing when the email came from outlook. Looked in mail logs...nothing obvious. My admin on a whim suggested that I move the pipe to the "forwarders" section in cpanel. Well now it works perfect. Must be a bug in cpanel. Why is it the more you learn about computers the less sense they make.
Just a couple other tweaks I had to implement:
A) when writing/editing the script in a windows environment, hidden characters are added. To fix this, I upload the php file, and open it in the cpanel filemanager (us-ascii), and save it. This removes the characters. (could obviously open in *nix also)
B) I had to chmod to 755, or it would not run. Scripts sitting outside my \www so no worries.
C) My shebang had to be: #!/usr/bin/php -q. The q was necessary to get it running.
Hope this helps someone else.

Why is my 301 Redirect taking so long?

In a long tiredsome quest to speed up my site, I have figured out something is wrong with the redirection: currently my index.php handles all the homepage redirections via PHP header location 301 Redirect Permanently: website.com >> website.com/en/home and website.de >> website.de/de/home etcettera etcettera (around 20 for this multilingual website) it takes anywhere from 200ms to 6000ms to do the redirecting. Check out the waterfall!
After that, the page loads in a thunderbolt's blink of an eye!
What a waste of time wouldn't you say? What is the server doing all this time?
After careful examination, my best guesse is: ITS DOING LAUNDRY!
I am almost giving up on PHP for this!
Any and all clues to my puzzling prob are very welcomed +1
A. Given facts: Apache/2.0.54 Fedora, PHP 5.2.9. there is no database: just flat php files with around 15 php includes that completes my page with headers and footers). YSlow Grade: 92/100! Good page Speed: 93/100! javascript and css are as much as possible combined. Cache controlls seem well set too (as proven by the grades). Whats missing in those 7 points out of 100: not using Keep-Alive (beyong my controll in shared hosting and not using Content Delivery Network. I can live with those missing 7 points, but this is major hit on speed!
B. Furthermore: i recently was given great insights over here that i should use url rewriting via htacces. Point taken, BUT, perhaps there is sometin else wrong here that i should correct before moving on to the for me more difficult apache regex syntaxes.
C. Faster way: When I php include the intended homepage, instead of redirect, then all loads fast, but the url is not rewritten: it sits at website.com on the browser bar, whereas i wish after including it to become website.com/en/home. Is this possible with PHP? To include+change the current address of the url, too?
Conclusions: you can redirect using index.php, or using .htaccess. Sofar from my tests (coming from the genius answers below!THANKS EVERYONE!) the latter seems unmatched in speed: much faster redirecting than a php redirect! reducing the redirect to shorter than the first dns lookup.
see here how to do this correclty for multilingual site

Damn, I hate getting stuck with this kind of problem. You need to eliminate some variables.
First I should point out that PHP will not flush all of its own headers until you start outputting things (or, if the output_buffering(?) ini directive is set to x bytes, until you have output x bytes). So the following script will not finish "sending headers" until the very end:
<?php
header('Content-Type: text/pants');
sleep(6);
header('Ding-Ding: time to put the socks in the dryer');
echo "z"; // headers are sent here
What happens to the call to en/home if you put exit; or echo "wheeeee"; exit; at the very top of that PHP script? Then what happens when you substitute it with a plain, empty file? If the php script with exit is slow but the plain text file is fast, the PHP interpreter is probably playing funny buggers. If you still get the delay for both, you've eliminated the actual response generation as the cause (but I'm still trying to come up with some ideas if this is the case).
Also, can you ssh to the server? If so, can you try wgetting the same page from inside the server? If you can without the speed problem, I would be looking at the client side. If you can't SSH, you could try doing a request from PHP, though I'm really not sure if this will work:
<?php
$context = stream_context_create(array(
'http'=>array(
// send request headers if you need to
'header'=>array(
'Foo: Bar',
'Bar: Baz',
),
),
));
$start = microtime(true);
$response = file_get_contents('http://yourserver.com/', null, context);
$end = microtime(true) - $start;
var_dump($end);
// for some bizarre reason, PHP emits this variable into the local scope.
var_dump($http_response_header);
Have you tried doing the same request from other machines, or other places in the world? This can confirm or deny if it's just your machine.
Another thing you can try if it is the response generation is to do a little bit of hack-profiling on the production server. I hate having to do this stuff, but sometimes your code just refuses to behave on the production server like it behaves in your development environment or on staging. Do this to the script that generates /en/home:
<?php
// put this at the very top
$rqid = uniqid('', true);
$h = fopen(__DIR__.'/crap.log', 'a');
fwrite($h, $rqid.' [START] '.microtime(true).PHP_EOL);
fclose($h);
// do all that other wonderful stuff, like laundry or making a cup of tea
// put this at the very end
$h = fopen(__DIR__.'/crap.log', 'a');
fwrite($h, $rqid.' [END] '.microtime(true).PHP_EOL.PHP_EOL);
fclose($h);
Run a few requests against it, check to make sure 'crap.log' is getting stuff written to it (check permissions!!), and then you'll have some data that will show whether there is something in your script that needs to be investigated further as the cause of the slowness.
Oh, did I mention MySQL indexes? Are you doing any queries during the request? Have you added all of the proper indexes to the tables?
Steven Xu raises a good point in the comments for your question - are you sure the program you're using to generate the waterfall is giving you good info? Try installing Firebug if you haven't already, click the little firebug icon in the bottom right of firefox and make sure the "Net" panel is open, then re-run your request and see if the waterfall is consistent with the results you're seeing in the program you used.
Also, I know this is kind of a boneheaded suggestion and I apologise, but I think it needs to be said: your host doesn't allow ssh and only uses PHP 4? I would seriously consider another host. It may even solve this specific problem.
I will add more stuff as I think of it.

If it is indeed the headers taking ages, then your JS/CSS/HTML is irrelevant.
You can do the forwarding in .htaccess.
RewriteEngine On
RewriteRule ^$ en/home [R=301]
This will essentially send the same header, but it won't invoke the PHP engine first to do it :)
Update
On closer inspection, it would seem to me that your en/home page is taking the longer time to download.

I think Ignacio Vazquez-Abrams may have the answer: after you call header() to do the redirection you need to call exit() to cause the PHP script execution to stop. Without that the script will keep executing, sending output to the browser, until the end. Since the browser has to wait for the server side script to end before performing the redirection that could cause the problem.
Update
Just read Alex's update and he seems to be correct. The /en/home page is where the time is.