I have developed a web based portal using php and some part of the site is only accessible by employees only. I would like to add an extra security layer so only employees whose PC is authenticated can access the restricted area.
If it was Dot NET it could be easily done by using activex components but I am not certain about the PHP.
Can any one share hints how to accomplish this task using PHP?
Are you using Active Directory to Authenticate? If so, you can probably tap into the LDAP functions in order to check for a valid authentication. You could also implement some security paradigm like Kerberos in order to achieve this with single sign on.
The easiest thing to do is to add a users table to your database and then built some basic authentication around that.
I would create a while-list with the IP's of the allowed computers (using $_SERVER['REMOTE_ADDR']), since it's almost the only information that you can obtain from the machine that make the HTTP request using just server-side scripting.
This should work well for computers inside the company, since they would have IP's within the same range (e.g. 10.100.x.x or 192.168.x.x), or they will use the same gateway for connecting to Internet.
If you need to allow access to roaming laptops, then this method will be almost useless unless they have static IP addresses.
This likely isn't possible with PHP. You can try to embed an ActiveX control using PHP, but I feel like this would be a better application for desktop software. PHP is definitely not going to be sympathetic. Sorry.
Related
Can anyone share me any idea (free) that I can make my Laravel Application (costumer website) usable to only single IP or domain?
After I host the application into my client's end, I want my code to be secured from being used again for other projects.
I want to prevent my client from re-publish my code
for example: remote confirmed from my web service for Client IP (costumer website)
After I host the application into my client's end, I want my code to be secured from being used again for other projects.
What you're looking for is a legal protection, not a technological one.
This is related to the "problem" of client authenticity in that you cannot generally control the contents of the computer that's communicating with you. Any copy-protection mechanisms you install will be trivially bypassed. (I work with cryptography; I've seen a lot of attempts to be clever, and none of them have ever stopped me from bypassing or disabling them.)
Can anyone share me any idea (free) that I can make my Laravel Application (costumer website) usable to only single IP or domain?
The way that's worded sounds like you're asking StackOverflow to give you free work (or point you to a free alternative to snakeoil solutions like ionCube) which is not what this website is for.
Right now we have a Ionic project that is almost finished that comes with a php backend. To make the backend a little bit more secure against influences from outsite we would like to make the backend only accessible from within the ionic project (native app). I tried to restrict it by domain but since a native app doesn't have a domain that's not gonna work.
I can't show any code because i'm absolutely clueless on how to approach this.
Thanks in advance
we would like to make the backend only accessible from within the ionic project (native app).
Given the existence of reverse engineering and the futility of DRM, what you're asking for is, strictly speaking, not possible in absolute terms. Anyone can take your app, analyze its code/behavior (usually with freely available tools), and write their own app that communicates with your server.
To make the backend a little bit more secure against influences from outsite
Given that the above is impossible, what is your threat model? What attacks are you trying to protect against? You should assume that clients are malicious and validate all input on the server side. If you do that, then you don't need to worry about whether or not someone used your native app to communicate with the server.
Consider the workflow in this article, Building Secure Web Applications in PHP.
I'm making an web application, it's a kind of online shop using PHP, jQuery, AJAX and JavaScript.
I want to launch my site on only one PC on local host. How should I set my site so that it only runs on my single PC?
Even if anybody copy my code files and database files to his/her own PC it should not run on their PC. How to do this?
The one way I know is by using the IP address. but I not quite sure about this method works or not.
If someone gains access to your source code then there is nothing that you can do to stop them.
When hosting it on your own you can prevent external access but beyond that there is nothing you can do.
You can use an encoder script to encrypt your source code, and some of these come with an ability to lock down to MAC address. I think they are all commercial solutions, though; start with IonCube and SourceGuardian. Zend might have something as well.
I would imagine each of these solutions would have comprehensive tutorials on their respective sites. Your workflow is basically to check out a copy of your source code from version control, and encode that folder as part of your build process.
Technically, encrypted code can be reverse-engineered, since the encryption key is built into the code. However, it is a lot of work for someone to do so, and even if they decode it, they won't have your comments or your meaningful variable/method/class names.
Make sure no one gains access to that PC (where your application resides). Only in that case you can protect your application from being run by unauthorized person. Once you take this security measure then you can easily disable your application from being accessed from any other LAN computers by using your IP. This is how professional servers works so should you.
You can change the webserver binding to localhost 127.0.0.1 only.
Alternative way you can create a filter rule that the server only accepts remote from localhost/127.0.0.1
With apache you can do this by .htaccess or directory/server rules.
When you want to share that code, you need to encrypt it with zend-guard or equal tools. there is also some licence management inside it, where you can bind licences to machines.
I used to work for a bank, that had a very cool feature in it's intranet. Once you logged in your computer, there were global variables set in PHP through Apache, and they contained the identity of the user that was logged on on the computer. Now I'm at a new job, and I'm wondering, how this thing worked! I would like to implement this kind of thing once again.
What I'm working with here:
FreeBSD server, version is unknown to me.
Apache 2.2 web server
PHP 5, some custom compilation, that for various reasons, I can't upgrade or modify.
MS AD
All of the users logging on to their computers are using active directory, all are in the same domain.
What I used to have was something like this:
echo $_SERVER['username']
which would print the username of the user currently logged in.
Could someone explain, how this could be done?
P.S. If any of my server settings are not what is required, say so, because then I will have a reason to ask the bosses to give me one of my own, with more control.
There's lots of ways this might be implemented. However a lot of them depend on having control over the client as well as the server.
Obvious sources of data include:
NTLM
Client side certificates
The Ident protocol (not very secure without the encryption extensions)
A long lasting cookie (again, not secure)
HTTP authentication methods
However none of these explain how the value appeared in the session - this must have been implemented within the PHP code.
So without knowing how it was implemented at your previous site we can't tell you:
Whether it was secure and correctly implemented
how to replicate the behaviour
Given your resource list, while it would be possible to implement authentication based on direct LDAP calls, passing the username and password through your application, I would strongly recommend using (e.g.) openId - but restricting the providers to just your openid provider - which would use the MSAD as the backend.
I did not understand correctly the question, so I edit my post...
you could use apache auth, you can make auth by ip's or hostnames
http://httpd.apache.org/docs/2.0/en/howto/auth.html
I have two websites, one driven by ASP.NET and the other in PHP. The PHP site is hosted on a relatively inexpensive host provider ('unlimited bandwidth and diskspace for $10 a month). The PHP site also provides REST URLs which would help me in monetizing my website.
The other site (the 'main' site, as it were) is an ASP.NET website which houses the login mechanism. My goal is to allow users to log in to the ASP.NET site and then be redirected to the PHP based domain. Is there an easy and feasible solution that accomplishes this?
I have a few questions with regards to that approach:
How would I pass session information and variables from the ASP.NET Application to the PHP based application, to facilitate the aura of 'Single Sign On'?
Would a 'simple' cookie be able to handle this scensario? Or would I need to use encrypted query strings?
There is no 'sensitive' data on these sites, so securing user data isn't a top priority. The site was built 'for fun'.
Are there hosts that allow subdomains to be hosted on a different language platform than the main domain? If I had www.example.com hosted on an ASP.NET server, could I have a subdomain (forum.example.com) hosted on a PHP server? Is this possible?
Any help on this is greatly appreciated.
Although more complex, I would go with the same methodology as the OpenID spec and use the Diffie-Hellman exchange. This allows two parties with no prior trust, to establish a trust for a certain period of time.
Info for PHP
Info for VB.NET
I would go for a cookie if both sites are on the same domain. One advantage of cookies over encrypted strings is that they are automatically passed between requests and you don't have to think about them when building your urls. One downside of cookies is that they can be disabled by users.
Store the sessions in a database and create / use a session-type which is cross-platform. You might to do it yourself. But you should know that passing sessions etc between different languages like this, can be dangerous ( security-wise )