0

I need to somehow detect the IP address of some of my website visitors and let them access the website without loggin in. Currently the content of the website is password protected and the visitors should log in in order to get access to the content. But I was wondering if there is a way to let some of our customers to get access without logging in by detecting their IP address.

Is this possible? If yes, what's the best solution?

Thanks

hnnnng
  • 481
  • 4
  • 21
  • One of these questions might get you started: [Allow IP address without authentication](http://stackoverflow.com/q/3649852/738262) or [How do I find a user's IP address with PHP?](http://stackoverflow.com/q/55768/738262) – Brian Nov 15 '13 at 18:52

3 Answers3

2

First off; this shouldn't be a Javascript question. You can't write site security in Javascript, because it runs on the client's computer, and you can't trust that computer. They could just open devtools and replace "if (loginOk())" with "if (true)"

Usually, this is accomplished not via IP address (which is pretty easily spoofed) but with some sort of randomized cryptographic hash given to them as a cookie. I can summarize it for you in a short way, but you'll want to look up the idea of "oauth tokens".

  1. User logs in using their username and password
  2. In the Response to their login action, the server sets cookie 'mysite_login_token' to a highly randomized string based off of their user information and the current date, ie 'noonewilleverguessthisstringofletters' (well, no, not that exactly - like I said, read more specialized articles on the subject).
  3. In all subsequent requests to sensitive information, the server checks the sent value of 'mysite_login_token', and makes sure it matches the stored value for that username.
  4. If the user logs off, then the server deletes its copy of that token so it can't be used again.
Katana314
  • 8,429
  • 2
  • 28
  • 36
  • Thanks Katana. I did some research and the OAuth handshaking token system (as you suggested) is the way to go. – hnnnng Nov 21 '13 at 17:30
0

you can't in pure javascript; you can use a server side service using .net or php and use XHR to fetch the result

RecycleRobot
  • 801
  • 2
  • 11
  • 19
0

The IP address could be useful for making an initial guess at who might be on your system if no login or cookie is presented. The IP can be used to obtain their approximate location or for logging the activity of anonymous users. The cookie is certainly a better way to re-identify a client machine than an IP, because dynamic IP's change periodically. Still identifying a machine is not the same as identifying a particular user. The IP or cookie for a machine at a public library won't identify a particular user. See: geolocation website

davej
  • 165
  • 1
  • 6