0

I'm looking for a solution for a php based web to get MAC address.I'm running appache server, the server is in the same network as the clients .Are there any suggestions?

Mohammad Jaber
  • 1
  • 1
  • 1
  • 3
  • 1
    Isn't this what accounts are for? –  Nov 29 '13 at 15:31
  • Username/password? The mac can be easily faked. – Maerlyn Nov 29 '13 at 15:32
  • 1
    Are you looking for a solution that is secure (authentication), or just unobtrusive (convenient)? Do the IP addresses of machines on your local network change? Do they have network names? Cookies are a good way of seeing "ah that is the client I saw before" if security is not your main concern - and it works regardless of network location. MAC addresses can only be seen "this side of the nearest router" which makes it very narrowly applicable. – Floris Nov 29 '13 at 15:33
  • 1
    When you say client, do you mean a specific user (a person) or a specific device? – basilikum Nov 29 '13 at 15:35
  • Possible duplicate: http://stackoverflow.com/q/1420381/603003 – ComFreek Nov 29 '13 at 15:39
  • 1
    Once wrote a blog article about this http://www.metashock.de/2010/07/reverse-arp-using-bash/ – hek2mgl Nov 29 '13 at 15:47

2 Answers2

4

The mac address can be configured, so it is not an identy. Don't use network address information for authentication or identification, never.

However, you may just use the mac address for informational - non security related reasons - in your application, so I will explain how to get it (on Linux).

First, the client's mac address isn't available in php globals like REMOTE_ADDRESS (the IP address of the client). You need to resolve it on your own using the arp command. arp can output the ARP table of the system and modify it. To resolve an IP to a mac address use:

arp -a IP

Back to PHP. We need to call the command above, passing the clients IP address to it:

$ip  = $_SERVER['REMOTE_ADDRESS'];
// don't miss to use escapeshellarg(). Make it impossible to inject shell code
$mac = shell_exec('arp -a ' . escapeshellarg($ip));

// can be that the IP doesn't exist or the host isn't up (spoofed?)
// check if we found an address
if(empty($mac)) {
    die("No mac address for $ip not found");
}

// having it
echo "mac address for $ip: $mac";
hek2mgl
  • 152,036
  • 28
  • 249
  • 266
  • The question asks about identification, not authentication. – Floris Nov 29 '13 at 15:36
  • 1
    Both topics are related. How will you authenticate someone without identifying him? But however, if you care about the difference, I've updated my answer. – hek2mgl Nov 29 '13 at 15:38
1

You may ask for MAC adress, it can be tweaked; you can also ask for client ip but it might change everytime.

Unless you're in a all controled LAN, just manage accounts authentication!

Even, if you are in a LAN, clients might get an static ip whch would be assigned by ... well ip so far. I think this may come up with OSI layers model stuffs

Community
  • 1
  • 1
diegoaguilar
  • 8,179
  • 14
  • 80
  • 129