Authentication of both user and computer

[mfleck]

Greetings,

I am a new member here, so please excuse if I've posted this in the wrong area.  And while I searched for this topic I hope I'm not repeating something you've already covered...

I'm in the early planning stages of a project which will be written almost entirely using php to interface with a mysql database on a hosted server.  It will be critical that data be entered only from known sources.  In other words, its not enough that Mary is able to authenticate with user name and password, we also want to be sure that she is using a machine that is known to the system, not from home or elsewhere.

Although I have a lot of experience coding in php there's nothing popping into mind as a good way to accomplish this.  Ideas?

[redbullmarky]

the IP address is generally the way that springs to mind. other than that, setting up something in the initial instance in the way of a cookie (a random generated hash that gets stored both in the DB and on their comp). sure, its not perfect, but otherwise there arent too many surefire ways to make sure that someone is on the same machine. if its a private system and not so much a website, then the $_COOKIE method is good. provide the user with a link to set up the cookie in the first instance, and voila.

[AJReading]

Ive made a system similar to this before. To ensure users could only login from certain computers I wrote a simple visual basic application that I installed only on the computers I wanted to allow access. This program ran in the background and was discreet.

This lil visual basic application updated a mysql table every x minutes with the computers current ip address. The php script would then check that the login is coming from a certain computer by checking the ip's. Its ideal for if the ip changes often too.

[448191]

[quote author=AJReading link=topic=117760.msg496332#msg496332 date=1167854034]
Ive made a system similar to this before. To ensure users could only login from certain computers I wrote a simple visual basic application that I installed only on the computers I wanted to allow access. This program ran in the background and was discreet.

This lil visual basic application updated a mysql table every x minutes with the computers current ip address. The php script would then check that the login is coming from a certain computer by checking the ip's. Its ideal for if the ip changes often too.
[/quote]

Just out of curiousity:

How do you handle shared ip's?
How do you get the right update interval; how can access be granted if the IP has changed before the update was sent?

I must say I like the idea of having a identifyer that is unavailable to other sites the user visits, but I still see some small issues.

Just thought of this: how is this going to prevent session hijacking? If the user visits a malicous website, the IP will be available and can be easily spoofed... :-\

[Daniel0]

My bank has a Java applet for their online banking service that handles logins. On my computer I have a key (and in my mind I got a password). Without the key on the computer I only have read access, but if the key is present I am able to make transactions etc.

I suppose you could do something similar, but I don't know how you would check if the key is there, and how to check that the user don't copy the key to another computer

[448191]

Unfortunately I know little to nothing about Java, and do know some VB (.NET). Maybe a browser extension is the way to go.. But how would that function... Anyone care to draw a diagram? I love diagrams... :-*  :P