-1

Let's say I have a table of food items to bring to a lunch on a very simple web page. I don't want there to be login, but I would like there to be some smartness to my app.

Let's say a user puts in a food item. Other than a login, couldn't I use the IP address to do things like: only the user that created the record at same IP address can edit this record. Something like that.

I was thinking one more step toward a login, have a single text box where a user can put initials.

This way first person to suggest bring an item can be happy to know their todo for the lunch is done and can't be "overwritten"

That's it!

Pros and cons, welcomed! This is more of a helper app than a formal thing, like to help around the office of local users.

NineBerry
  • 26,306
  • 3
  • 62
  • 93
Rod
  • 14,529
  • 31
  • 118
  • 230
  • Why is this tagged with both JavaScript and C#? – Dai Mar 02 '17 at 00:51
  • 5
    Don't use an IP address to identify users: the same user can have multiple addresses in the same session (mobile users, and wi-fi hopping), and multiple users can share the same IP address (e.g. NAT) – Dai Mar 02 '17 at 00:52
  • Oops, I didn't mean to restore my old title – Rod Mar 02 '17 at 00:59
  • Dai is right multiple user have a same IP Address. Try to use MAC Address then – KiRa Mar 02 '17 at 01:01
  • 1
    @KiRa A web application usually cannot see the MAC address of the client (only in a very small local network scenario) – NineBerry Mar 02 '17 at 01:03
  • I forgot about that! Thanks. And sorry everyone for messing up the edits just now. On my mobile and using stack exchange app. Not sure how that happened. – Rod Mar 02 '17 at 01:04
  • @NineBerry I didn't try on mobile yet but on PC its working. But just like Berin said `Even using a Mac address is problematic since some people know how to spoof Mac addresses` – KiRa Mar 02 '17 at 01:11
  • @KiRa No, you cannot see the MAC address of a visitor unless both computers are in the same local network. See also http://stackoverflow.com/questions/3454858/how-to-get-client-mac-address-by-a-access-on-a-website – NineBerry Mar 02 '17 at 01:13
  • 1
    Possible duplicate of [How to identify revisiting users without login info](http://stackoverflow.com/questions/14102670/how-to-identify-revisiting-users-without-login-info) – NineBerry Mar 02 '17 at 01:36

1 Answers1

1

Authentication and Authorization are separate functions, and I'm drawing the distinction here for a reason.

  • Authentication is the process of positively identifying a user, so you know who they are.
  • Authorization is the process of allowing or preventing that user from accessing parts of the application.

IP addresses can be used to partially identify users, but as @Dai pointed out in his comment, it has problems. Even using a Mac address is problematic since some people know how to spoof Mac addresses. If you can use someone else's authentication service, you can authorize them yourself.

Once you have positively identified a user, you can track them using a randomly generated ID that is good for a session. It is possible to use a cookie to track that ID. If that ID is associated with a Role you can authorize based on that role.

Berin Loritsch
  • 11,400
  • 4
  • 30
  • 57