Device Mac Address

[alaafathey]

Good Day ,

Got an attendance script and need to do some edit to match my needs.

i have added an employee database table for the device mac address ( i'm adding the mac address manually ).

wanna add php code that Fitch the device mac address and compare it to database table ( same as password comparing process ) , and the user is able to login via his username and password in the mac address matches.... this way im making sure that Employees not check in for each other as all the process is happening using cell phone.

Thanks for your support.

[requinix]

It is not possible to know the MAC address of a client's computer. At all.

You'll need to find an alternative method to identify a user.

[Phi11W]

2 hours ago, alaafathey said:

wanna add php code that Fitch the device mac address

Can't be done ...   unless your PHP code actually runs on the User's own machine, which it [almost certainly] doesn't.  

No part of the HTTP protocol shares that information from client to [web] server. 

 

2 hours ago, alaafathey said:

the user is able to login via his username and password in the mac address matches

I would suggest that this is also a Bad Idea. 

Never had your computer replaced or upgraded?  
New computer, new MAC address, User can't log in, complaints to the Service Desk and Application Bug Reports ensue.  

Lots of Grief that you really don't need. 

 

2 hours ago, alaafathey said:

this way im making sure that Employees not check in for each other

Not really.  

I assume that your company as some sort of Information Security policies or, at the very, very least, Terms and Conditions of Use and one of the really, really basic ones should include "not sharing passwords".  If they want to do something stupid like hand their passwords around, they've got far bigger problems. 

Regards, 
   Phill  W.

 

[ginerjm]

What does 'Fitch' mean?

[alaafathey]

2 hours ago, ginerjm said:

What does 'Fitch' mean?

get

[ginerjm]

Get?  Are you trying to say 'fetch' as in retrieve a query result?

At least now I understand one sentence.  The rest is still not clear.

[alaafathey]

1 hour ago, ginerjm said:

Get?  Are you trying to say 'fetch' as in retrieve a query result?

At least now I understand one sentence.  The rest is still not clear.

yaah ( Fetch ) - it's my bad - Sorry.

[ginerjm]

I suppose this topic is closed now after Requinix told you it cannot be done.  Hopefully your next post will be written a bit clearer and in a style that makes it easier to read 

Edited June 20, 2023 by ginerjm

[alaafathey]

4 minutes ago, ginerjm said:

I suppose this topic is closed now after Requinix told you it cannot be done.  Hopefully your next post will be written a bit clearer and in a style that makes it easier to read 

Will do my best . Thanks.

[ginerjm]

Since you cannot use the mac address to identify the client that is making a login request, what do you have available to help you make an id?  Are you that uncomfortable with users keeping their own passwords secret?  If this password is important enough to the employee that he/she should not be sharing it, how can you make that real to the staff?

[gizmola]

I would suggest a simple name/password system, as is standard.  What you can do is log the IP address in the database.   The server gets access to the client IP address.  The users have no way of knowing what you are logging or not in that regard.  You can then write some reports that look for multiple logins from the same IP address, which should not happen from a mobile phone, unless the users are logging into the same wifi network.  

Another thing you could do is push a tracking cookie that doesn't expire.  Generate a guid value or hash, and push this using some innocuous name, when a user logs in.  Set the cookie so that it doesn't expire for 12 months or something like that.  You can then check for the existence of this cookie and log it upon login. You can use that cookie, like IP address.

In general these types of things require a login/audit table, that makes an entry for each user login.  If the users don't understand what you're doing, you are likely to be able to find people logging into multiple accounts using the same cookie value, or missing the cookie on login.  You 100% will know when a user logs in with the wrong cookie.    What you choose to do in that circumstance is up to you, but I would not suggest that you make it an outright error, but rather something that is determined through reporting on the audit table.

I would suggest that you employ both items (IP address and login cookie value), and perhaps a status code, you can set, when the code sees a user logging in with some other user's cookie.