redbrad0 Posted March 25, 2007 Share Posted March 25, 2007 On a web based application we are working on, I need to come up with a better way to secure the backend. I am not just talking about login data so please read the following to get more information. Each of our customers have their their employees with login data on our site that just gives them access to their customer data. They can purchase items on the website and charge it to their account and get immediate access to the purchase. For this reason we do not want a employee to be able to go home and login to the system and purchase something charging it to their employers account. But we really cant just block all IP's except for customer IP's as we all know people's IP's do change along with come of our customers would be logging in on their laptop on different networks. Can you give me your opinion on each of the following items or maybe something I have forgot. 1. Allow VIA IP - As I mentioned we can do this, but if they are denied access then it will make them request access via a given IP Address and then that IP/Range of IP's would be given access into the system. 2. Access via Computer - I am not sure what would be needed to do this, but basically we would grant a computer access. So somehow we would have to take some kind of information from the computer that is unique and log it into the database. This way no matter if their IP Address changes then that given computer is always given access. My guess is maybe something like ActiveX. Quote Link to comment https://forums.phpfreaks.com/topic/44241-secure-web-page-access/ Share on other sites More sharing options...
cmgmyr Posted March 25, 2007 Share Posted March 25, 2007 I would do it by IP access, but also have them store a cookie (or something else) locally so now you have 2 things to check for. Quote Link to comment https://forums.phpfreaks.com/topic/44241-secure-web-page-access/#findComment-214858 Share on other sites More sharing options...
redbrad0 Posted March 25, 2007 Author Share Posted March 25, 2007 A cookie is very easy to change so I would rather a better way. This system processes a very high volume of money every day, and the item they can purchase is something that young kids would try and get this product. Quote Link to comment https://forums.phpfreaks.com/topic/44241-secure-web-page-access/#findComment-214869 Share on other sites More sharing options...
cmgmyr Posted March 25, 2007 Share Posted March 25, 2007 well it doesn't really have to be a cookie, it could be something else. if you really want you could even make an application (windows based) that will connect them to the website...maybe even change access and passwords automatically to the program that only that program would know Quote Link to comment https://forums.phpfreaks.com/topic/44241-secure-web-page-access/#findComment-214883 Share on other sites More sharing options...
utexas_pjm Posted March 25, 2007 Share Posted March 25, 2007 2. Access via Computer - I am not sure what would be needed to do this, but basically we would grant a computer access. So somehow we would have to take some kind of information from the computer that is unique and log it into the database. This way no matter if their IP Address changes then that given computer is always given access. My guess is maybe something like ActiveX. With ActiveX you can probably validate via MAC address. The MAC address will unique per each ethernet device. http://www.google.com/search?q=activex+mac+address Best of luck, Patrick Quote Link to comment https://forums.phpfreaks.com/topic/44241-secure-web-page-access/#findComment-214889 Share on other sites More sharing options...
Daniel0 Posted March 29, 2007 Share Posted March 29, 2007 Mac addresses (as well as IPs) can be spoofed. I know my bank stores a unique key file on my computer and then use some Java applet to handle the login procedure for their online banking service. I enter my password and it checks if the key is valid and exists and then checks their database. I guess you could do something similar. The requirement is that you need something that can access things on the client computer (which PHP cannot). Quote Link to comment https://forums.phpfreaks.com/topic/44241-secure-web-page-access/#findComment-217579 Share on other sites More sharing options...
Eric_Ryk Posted March 29, 2007 Share Posted March 29, 2007 Possibly a time based-solution? The employer could set times when the system is allowed to be active maybe? The only problem with this is that if someone is home "sick" they could still log in. Although the question I want to ask is why are you having the employee purchase a product rather than the employer? What types of products are these? Quote Link to comment https://forums.phpfreaks.com/topic/44241-secure-web-page-access/#findComment-217806 Share on other sites More sharing options...
redbrad0 Posted March 30, 2007 Author Share Posted March 30, 2007 It is a digital good that when someone goes to the cash register and wants to purchase this item then the employee that is checking them out will order the product thru our system and then hand their customer that is in the checkout line the information about the product so that is why the employee's of the company would be ordering from our system and not the managers. Quote Link to comment https://forums.phpfreaks.com/topic/44241-secure-web-page-access/#findComment-218233 Share on other sites More sharing options...
Eric_Ryk Posted March 31, 2007 Share Posted March 31, 2007 It is a digital good that when someone goes to the cash register and wants to purchase this item then the employee that is checking them out will order the product thru our system and then hand their customer that is in the checkout line the information about the product so that is why the employee's of the company would be ordering from our system and not the managers. Well then I'm not really sure if there is any easy way to do it automatically. You might just have to go with something that can be spoofed as it is the closest to secure as you can get. Quote Link to comment https://forums.phpfreaks.com/topic/44241-secure-web-page-access/#findComment-218507 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.