Jump to content

Recommended Posts

On a web based application we are working on, I need to come up with a better way to secure the backend. I am not just talking about login data so please read the following to get more information.

 

Each of our customers have their their employees with login data on our site that just gives them access to their customer data. They can purchase items on the website and charge it to their account and get immediate access to the purchase. For this reason we do not want a employee to be able to go home and login to the system and purchase something charging it to their employers account. But we really cant just block all IP's except for customer IP's as we all know people's IP's do change along with come of our customers would be logging in on their laptop on different networks.

 

Can you give me your opinion on each of the following items or maybe something I have forgot.

 

1. Allow VIA IP - As I mentioned we can do this, but if they are denied access then it will make them request access via a given IP Address and then that IP/Range of IP's would be given access into the system.

 

2. Access via Computer - I am not sure what would be needed to do this, but basically we would grant a computer access. So somehow we would have to take some kind of information from the computer that is unique and log it into the database. This way no matter if their IP Address changes then that given computer is always given access. My guess is maybe something like ActiveX.

Link to comment
https://forums.phpfreaks.com/topic/44241-secure-web-page-access/
Share on other sites

well it doesn't really have to be a cookie, it could be something else. if you really want you could even make an application (windows based) that will connect them to the website...maybe even change access and passwords automatically to the program that only that program would know

2. Access via Computer - I am not sure what would be needed to do this, but basically we would grant a computer access. So somehow we would have to take some kind of information from the computer that is unique and log it into the database. This way no matter if their IP Address changes then that given computer is always given access. My guess is maybe something like ActiveX.

 

With ActiveX you can probably validate via MAC address.  The MAC address will unique per each ethernet device. 

 

http://www.google.com/search?q=activex+mac+address

 

Best of luck,

 

Patrick

Mac addresses (as well as IPs) can be spoofed.

 

I know my bank stores a unique key file on my computer and then use some Java applet to handle the login procedure for their online banking service. I enter my password and it checks if the key is valid and exists and then checks their database. I guess you could do something similar. The requirement is that you need something that can access things on the client computer (which PHP cannot).

Possibly a time based-solution? The employer could set times when the system is allowed to be active maybe? The only problem with this is that if someone is home "sick" they could still log in. Although the question I want to ask is why are you having the employee purchase a product rather than the employer? What types of products are these?

It is a digital good that when someone goes to the cash register and wants to purchase this item then the employee that is checking them out will order the product thru our system and then hand their customer that is in the checkout line the information about the product so that is why the employee's of the company would be ordering from our system and not the managers.

It is a digital good that when someone goes to the cash register and wants to purchase this item then the employee that is checking them out will order the product thru our system and then hand their customer that is in the checkout line the information about the product so that is why the employee's of the company would be ordering from our system and not the managers.

Well then I'm not really sure if there is any easy way to do it automatically. You might just have to go with something that can be spoofed as it is the closest to secure as you can get.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.