1

Basically I am just trying to get an idea on what would be a good approach to accomplish what I want to do. I have a system that allows users to log on with IDs and PWDs with different account types, etc.

The application is a browser-based (LAMP stack) time clock and what I want is to allow anyone to log on from any computer or device (done), but also only allow certain computers to be able to punch in or out. So I would have to log in on the work computer to be able to punch, but could log in at home and check hours etc.

Any ideas on a good solution?

forevermetal02
  • 45
  • 1
  • 8

5 Answers5

2

An alternative might be to restrict the use of those functions to certain times (9am-5pm office hours for instance).

Beware of basing things on IPs because IPs can change.

Another solution: Two-step authentication.

  1. Username and Password
  2. The current day's access code (generated daily, and provided to those in office)
Chris Bier
  • 14,183
  • 17
  • 67
  • 103
  • You still might have an issue with an employee who is sick or late clocking in before they arrive. – dsimer Feb 06 '14 at 21:28
  • Yeah also this is going to be deployed across two companies, including some salesmen who will sometimes punch outside of normal office hours. I definitely don't want to rely on an IP alone I gathered before asking this. – forevermetal02 Feb 06 '14 at 21:32
  • I edited the answer to provide another solution that I've had to use with an old client. – Chris Bier Feb 06 '14 at 21:38
  • That seems like a good solution, my only thought being an employee could phone his buddy while punching in and give him the access code, which then said buddy could log in via his phone and punch even if he is running late. I could disable access to the timeclock from mobile phones easily but I wanted to allow employees to be able to view the system on their phones for easy checking of schedules, etc. – forevermetal02 Feb 06 '14 at 21:45
  • You could always base the code off of some attribute of that user's PC or login so that the only person that could see it would be the PC user themselves. As for the "buddy system", the only way to truly eliminate that is with a thumbprint scanner...and even that isn't 100% – dsimer Feb 06 '14 at 21:48
  • @NickVeronick just disable the time clock from mobile devices. You'll always have an issue with people finding clever ways to get around it. (They could always change the user-agent with a simple plugin to get to the time clock). Factor in the manager(s) ability to keep track of who is clocking in. You might not be able to have all of the flexibility you want AND prevent abuse, something has to give. – Chris Bier Feb 07 '14 at 01:14
  • @NickVeronick I encourage you (if you haven't already) to write down your requirements, and then some possible solutions. If you can't find a solution in a couple days, you might have to drop one of your requirements. – Chris Bier Feb 07 '14 at 01:15
0

Better approach is to restrict by MAC address, however is very complicated. Other ways should contemplate Clients IP restriction, time frame restriction, user restriction.

Check this post about getting MAC address

Community
  • 1
  • 1
digitai
  • 1,870
  • 2
  • 20
  • 37
  • What about usage with tablets and mobile phones? In the short term laptops will be used to punch, however in the near future it may be deployed in locations with no LAN connection, and a tablet or smartphone would be used as the punch station, then allowing anything to use any phone to do so. I'm not too familiar with MAC addresses and whether one could be obtained from a mobile device, if this solution is still valid for those, then this may be my best option. – forevermetal02 Feb 06 '14 at 21:47
  • yes indeed you`re right about the use of mobile devices instaad of a PC as punching stations. I have dealed with machine specific restrctions and is a nonsense from the web browser perspective. Only Active X can deal with . +1 for considering the present and future use of mobiles, espe,ially tablets as business procesess data input devices. – digitai Feb 08 '14 at 01:00
0

Is work the only place you want them to be able to clock in from? Do the PCs at work have static IPs? If so, you could limit requests not coming from one of those IPs - you might also be able to filter on MAC addresses.

dsimer
  • 115
  • 6
  • For now it would be restricted to computers in the office alone yes, however they do not have static IPs. – forevermetal02 Feb 06 '14 at 21:35
  • Then MAC addresses is the way to go. As stated below, you could use that MAC address to generate the second-step authentication code so only someone logged into that PC could log in with it. – dsimer Feb 06 '14 at 21:50
0

I've done something similar with a timeclock application.

I check the user's IP for one of our lan IPs (eg. 192.168.?.?) as there shouldn't be any public IPs in that range. If it's a valid lan IP, then they can clock in/out. If it's not, then they can't clock in/out, but can still check their hours.

This might not be viable for your situation though, depending on the requirements you're wanting computers to meet to be able to clock in/out.

Samutz
  • 2,310
  • 4
  • 24
  • 29
0

There is no way to you rely only on client info (from the request) to validate your permissions. Like ip, cookie, browser version, etc. So my suggestion is you to rely on client device informations like disk serial number, device serial number, etc. The problem for this approach is how to get those info.

As you said that this is a software for a company I would do the following steps.

1 - Develop an applet to get specific client device info (device serial id, hard disk serial id, motherboard serial id, etc.)
1.a - You will have to identify the device and map a possible specific info. Like if it is a computer you get the hard disk serial number, if it is a cell phone you would have to know wich operational system it is and get the device serial number
2 - In order to this applet work with thoose permissions you will have to create a certificate and the user must accept it (since it is a company it shouldn't be a problem)
3 - a database structure to support this, just as an example would be: User, device_type, device (with fk to device_type), user_device (which is n-m table)
4 - and from that first model you can go crazy about permissions like:
4.a - to have a table user_device_permission with another table permission and from that a table user_device_permission_time (which would specify the times that on a specific device a user can do some specific thing)

Jorge Campos
  • 22,647
  • 7
  • 56
  • 87