1

I am wondering how big of a job it is to be able to do the following:

I want to have certain web pages on a site only accessible by specific computers. Of course, I can always provide usernames and passwords, but I want it restricted even further.

To illustrate:

  • I give User-A access to page-A.
  • I give User-A a username and password to access page-A.
  • User-A tries to share the username and password with a friend (User-B).
  • User-B tries to access page-A with User-A's credentials, but it does not work because User-B needs to be on User-A's computer to do so.

I know that this is possible to accomplish, since financial institutions employ this kind of security, but can I implement it on my my own? If so, how?

--Edit--

Yani mentioned that filtering by IP would not be wise, since user IP addresses often change. My question now turns to the use of sessions or localstorage/webstorage to control access to certain webpages.

What local data would you need to pull? I would imagine that a database would be required to store computer data for future reference by the system.

mateikav
  • 93
  • 3
  • 9
  • You can, but you shouldn't. IP != computer. One computer may make requests of your site from multiple IPs, and many computers my make requests of your site from a single IP. – user229044 Jan 29 '14 at 05:37

2 Answers2

2

IP addresses are, for most home users, temporary only. The ISP will change them every few weeks/months, unless the user has a static IP (which usually costs more).

In addition, a user can take his laptop to a coffee shop and immediately log in from a different IP.

Therefore, IP address filtering is a good idea only if you want to geo-block users (country, state, etc.), but, to my honest opinion, not a good idea for authenticating a user over a long period of time.

You may just need to implement a cookie/session/localstorage with Javascript or server side technology such as PHP, which will be browser & computer specific.

Cookies + IP Address

Combining cookies/localStorage technology ALONG WITH IP address can actually be a good idea for having a 2nd level of securiy (i.e when IP changes, having an alert such as 'it seems as you are loging in from a different IP address, please answer security question...').

Also - when a user will login from a different browser but same computer (and same IP) you can have an extra verification question.

You can even implement a IP address history, such as gmail's.

However, if you had to choose only 1 of the methods - I'd definitely go with cookies/localStorage.

Examples of how to set and get local data in Javascript.

With localStorage (HTML5):

localStorage.setItem('userAuthenticated', '1');
localStorage.getItem('userAuthenticated');

With cookies:

function setCookie(cname,cvalue,exdays)
{
var d = new Date();
d.setTime(d.getTime()+(exdays*24*60*60*1000));
var expires = "expires="+d.toGMTString();
document.cookie = cname + "=" + cvalue + "; " + expires;
} 

function getCookie(cname)
{
var name = cname + "=";
var ca = document.cookie.split(';');
for(var i=0; i<ca.length; i++)
  {
  var c = ca[i].trim();
  if (c.indexOf(name)==0) return c.substring(name.length,c.length);
  }
return "";
}

Hope this helps!

dev7
  • 6,259
  • 6
  • 32
  • 65
  • This makes perfect sense. Thanks for reminding me about the often non-permanent nature of IP's. I'll do some research into what I could do with cookies/session/localstorage. – mateikav Jan 29 '14 at 05:45
  • @mateikav my pleasure, I've added more details to my answer :) – dev7 Jan 29 '14 at 05:50
  • This is good information. I think it would be adequate to only use the cookie/localstorage method. Now I need to research how exactly to do this. – mateikav Jan 29 '14 at 05:56
  • @mateikav I'll add some info on that to my question. – dev7 Jan 29 '14 at 05:57
0

You probably will need to use .htaccess to do this. Try this and see if it works for what you are trying to do.

.htaccess: how to restrict access to a single file by IP?

Community
  • 1
  • 1
Phobos
  • 717
  • 7
  • 9