6

I have a web app that will be running n several specific target machines. I could have the user select which machine he is on when he logs in, but that is prone to error. Is there a way I can get some unique ID from each PC, store those in a database on my server and then when someone logs in from a particular machine, identify that machine? I thought of IP address but those might change as well due to the nature of our deployment. But is is critical that I know which machine the system is running on.

Note: I am not trying to determine the machine code of a web user's machine as that would be a privacy violation. I KNOW my machines so I was wanting to tie them to the database somehow. This also acts as security for me as I can reject logins from unknown machines.

Thanks for any ideas. I am running Apache with Code Igniter 3 and Centos 6.5

Doug Wolfgram
  • 2,064
  • 4
  • 27
  • 42
  • Not specific to php, but general ways are discussed [here](http://stackoverflow.com/a/23374664/782094) – PCoder Jul 04 '14 at 05:01

5 Answers5

5

It's not possible without a client component, browser plugin or something similar. The closest alternatives are:

  • using cookies;
  • using client certificates;
  • using browser fingerprinting;

each with their own disadvantages.

Robby Cornelissen
  • 91,784
  • 22
  • 134
  • 156
3

You could use this as a computer ID:

$computerId = $_SERVER['HTTP_USER_AGENT'].$_SERVER['LOCAL_ADDR'].$_SERVER['LOCAL_PORT'].$_SERVER['REMOTE_ADDR'];

It's not completely fool proof, as the values of $_SERVER can be faked, however it will still add an extra layer of security that does not rely on cookies.

Dan Bray
  • 7,242
  • 3
  • 52
  • 70
  • 2
    The only two values relating to the client in your answer are `HTTP_USER_AGENT` and `REMOTE_ADDR`. For an internal deployment, using the remote address as an identifier only makes sense if all machines have a fixed IP address. For an external deployment, potentially thousands of machines could be using the same public IP address. As for the user agent, not only is it easy to spoof, but corporate deployments will often require users to use a particular browser on a particular OS, rendering all the user agent strings identical. Even if this is not the case, using it as identifier is a bad idea. – Robby Cornelissen Mar 16 '17 at 02:17
  • As I said, it's not completely fool proof. Any suggestions how I can improve my answer, without relying on cookies? – Dan Bray Mar 16 '17 at 02:26
  • I think the available options are listed in my answer. I'm currently not aware of other approaches... – Robby Cornelissen Mar 16 '17 at 02:34
1

The first time a user hits your site, identify their machine by IP address. Then set a persistent cookie with a unique identifier of your choosing.

The next time they come to the site, you can identify them by the unique identifier cookie that you set previously.

Matt Johnson-Pint
  • 230,703
  • 74
  • 448
  • 575
  • Until they clear cookies. That won;t work. I I don;t want to track all users. i want to know which of MY specific machines is connected. – Doug Wolfgram Jul 04 '14 at 13:57
0

I would either

use a value like bin2hex(openssl_random_pseudo_bytes(512)) and set it as a cookie and then check for the cookie

or

use IP based logging like (127.0.0.1) has typed hello

or

MAC Addresses (php libraries for it)

JB567
  • 1
0

You can even try getting the MAC Address:

Use this class (https://github.com/BlakeGardner/php-mac-address)

This is a PHP class for MAC address manipulation on top of Unix, Linux and Mac OS X operating systems. it was primarily written to help with spoofing for wireless security audits.

Guns
  • 2,678
  • 2
  • 23
  • 51
  • 2
    The class you're referring to serves an entirely different purpose. No current browser sends the network interface's MAC address in an HTTP request. – Robby Cornelissen Jul 04 '14 at 05:02