Using c# to give different access to some users based on the physical machine they're accessing the website from

Question

In brief, we have a website built in asp.net c# that we're adding a login area to for people to see some paid for content. There will be different levels of account, one which when logged in can download say 10 documents a day, another that can download 20 etc....

What the client has also now asked for is can they sell unlimited access to this facility to a customer, where that customer will only be able to get this unlimited access when using some specific computers.

Really don't know if there is an elegant solution to this? I'm thinking MAC addresses must be the key, but as far as I know the c# code doesn't have direct access to that? Have read that JavaSript will be too unreliable in it's getting of the MAC adddress...and that writing a Java applet may be the only way.

Does anyone else have a better suggestion than this?

Any help would be greatly appreciated.

Answer 1

There are sexier answers already provided. Would good old/boring digital certificates suffice?

Answer 2

Is there a way that you can rely on static IP addresses? I know that, depending on the site these can change, but so can network cards (though this is less common).

Another question: Do you wish to restrict to individual machines, or simply make sure that only "N" licenses on that address are used? If this is the case, you can keep track of N license records on your side, with a corresponding cookie on the machine (perhaps a concatenation / hash of the IP address and license key signed with your private key) which expires after a week or what-have-you.

You have your own database / list of IP address, license key, and expiration date, and so if a computer logs on with an invalid cookie (IP address doesn't match what its license is associated with in your DB, to prevent copying cookies across), if a license is available in your DB (due to one pairing expired / never being used), give them the new license (and the benefit of a doubt). If it isn't available, give a polite "no more licenses are available, here's our sales number" message. This means that the IP address in your database is more of a reference thing, but it will also slow down "computer hopping", as these records will not expire until "a week or what-have-you" has passed. If a computer logs on with a "Valid IP" (in your DB) but no cookie / invalid cookie, re-issue that cookie with the same license as before with a new expiration date. Maybe. Maybe the same expiration date.

If IP addresses change slowly at the customer's site, this should work. If they change more than once per computer per timeframe, this could pose problems.

The initial distribution of these licenses could be "first come, first serve", and rely on a network address range and logins.

Answer 3

You are looking for the idea of Device Fingerprinting. Since this is a web application, you need the sub-field of Device Fingerprinting known as Browser Fingerprinting.

It is pretty easy to get browser fingerprinting right 80% of the time, and quite hard to get it right 100% of the time.

Have a look at Panopticlick (from the EFF) to get an idea of how it works.

There are several commercial software providers that provide solid Browser Fingerprinting as a service.

Although the general case is not easy, your specific case may be easier. For example, if you sell access to a company that is large enough to route all traffic through one or a few well-known IP addresses, you could just use that IP to authenticate users.

Alternatively, or specifically if you need to allow only certain computers within a facility, you could create a browser plugin that checks hardware (like the MAC address) and makes that information available to your authentication code.

Getting this kind of code right (in that it shows neither false positives nor false negatives, and is tolerant to changes in hardware such as a NIC upgrade) is very hard. It may be worthwhile to use a commercial browser fingerprinting company.