Reputation: 45
Restricting site features by computer
Basically I am just trying to get an idea on what would be a good approach to accomplish what I want to do. I have a system that allows users to log on with IDs and PWDs with different account types, etc.
The application is a browser-based (LAMP stack) time clock and what I want is to allow anyone to log on from any computer or device (done), but also only allow certain computers to be able to punch in or out. So I would have to log in on the work computer to be able to punch, but could log in at home and check hours etc.
Any ideas on a good solution?
Upvotes: 1
Views: 88
Answers (5)
Reputation: 23361
There is no way to you rely only on client info (from the request) to validate your permissions. Like ip, cookie, browser version, etc. So my suggestion is you to rely on client device informations like disk serial number, device serial number, etc. The problem for this approach is how to get those info.
As you said that this is a software for a company I would do the following steps.
1 - Develop an applet to get specific client device info (device serial id, hard disk serial id, motherboard serial id, etc.)
1.a - You will have to identify the device and map a possible specific info. Like if it is a computer you get the hard disk serial number, if it is a cell phone you would have to know wich operational system it is and get the device serial number
2 - In order to this applet work with thoose permissions you will have to create a certificate and the user must accept it (since it is a company it shouldn't be a problem)
3 - a database structure to support this, just as an example would be: User, device_type, device (with fk to device_type), user_device (which is n-m table)
4 - and from that first model you can go crazy about permissions like:
4.a - to have a table user_device_permission with another table permission and from that a table user_device_permission_time (which would specify the times that on a specific device a user can do some specific thing)
Upvotes: 0
Reputation: 14437
An alternative might be to restrict the use of those functions to certain times (9am-5pm office hours for instance).
Beware of basing things on IPs because IPs can change.
Another solution: Two-step authentication.
- Username and Password
- The current day's access code (generated daily, and provided to those in office)
Upvotes: 2
Reputation: 2300
I've done something similar with a timeclock application.
I check the user's IP for one of our lan IPs (eg. 192.168.?.?) as there shouldn't be any public IPs in that range. If it's a valid lan IP, then they can clock in/out. If it's not, then they can't clock in/out, but can still check their hours.
This might not be viable for your situation though, depending on the requirements you're wanting computers to meet to be able to clock in/out.
Upvotes: 0
Reputation: 115
Is work the only place you want them to be able to clock in from? Do the PCs at work have static IPs? If so, you could limit requests not coming from one of those IPs - you might also be able to filter on MAC addresses.
Upvotes: 0
Reputation: 1842
Better approach is to restrict by MAC address, however is very complicated. Other ways should contemplate Clients IP restriction, time frame restriction, user restriction.
Check this post about getting MAC address
Upvotes: 0
Related Questions
- Only allow users on page if IP address is approved
- Accessing a webpage only in the specified IP address
- Restricting access to a site using IP address
- Block site access other than selected people
- Is it possible to restrict PHP page to certain devices?
- Is it possible to allow user to login into to the site based on IP address?
- is it possible to limit access to website to specific computer?
- Restrict access to functionality for user by IP address
- php web based portal authentication through IP
- Allowing website access only from a specific network