How to restrict website accessing, if user is on remote device and not on a work computer? (work time tracker app)

Question

I would like to make a PHP website, where employees can log in/out themselves and these logs will count as a time when they started and ended their working day. I would like to allow them to do that only on their work computer and not for example on their phone while they are still on the way, but they want to avoid "being late".

So I'm struggling with a few ideas, but any of them seems to be the right solution.

1. Allow using the website only for specific IP addresses. But then I realized that in our place IP address is dynamic and changing it for static costs too much in our area.

2. Check user location. But then I saw that when I'm checking my public IP address, the location is completely wrong! Our building isn't even close to the loaded area.

3. Using a COOKIE/token on a work computer. But it's very easy to set the same cookie on your own device and I'm not the only IT employee here.

4. Checking MAC address. As I read here it's possible only in specific cases.

5. Block access for mobiles. But detecting a mobile is based on browser and if the user click "Request Desktop Site" scripts will say that's a computer.

Is there another method, which I can use to achieve my goal? Am I missing something? May I bind my app for example with some other technologies that will allow me to do that? Or maybe I should try a combination of all of them?

I couldn't find any script, which would take care of that. In the worst case it doesn't have to be "perfectly secure", but I would like to be it at least hard, annoying, or time-consuming to try to "cheat" in this system.

Answer 1

Ideally, if what you actually want to track is when employees are in the workplace and logged on / for how long, it would be probably better to just track local machine-logins via a domain controller - a method reachable from the internet is suboptimal exactly for the reasons you mentioned.

If you have an intranet which users cannot tunnel into but can access from their work machines, I'd say hosting your login-page only inside that intranet is the easiest way to achieve what you want with the methods you suggest.

Alternatively, if employee work-machines use windows under a domain controller - you can restrict access to Windows certificate-storage, then install/push a certificate and require that to be present via your server-configuration. In that case, it doesn't matter if the website is accessible from the internet. I'm sure there are similar solutions if work-machines are not on Windows.

This admittely old question gives some pointers in the right direction on how to require client certificates from a Webserver (IIS in that case).

Answer 2

I would run your app in the office LAN. Nobody will be able to access it from outside except if they can do remote desktop to the office computer or if they have VPN. But if you are in the IT team you may could fix IP ranges for the office computers so that you could exclude the VPN.

In terms of security, in any case it may be better having it running in your LAN. I'm sure you've got a server somewhere and if it's not the case then you could use a NAS (Synology offers NGINX, Apache, PHP and much more) or a little Rasperry Pie or something similar.

If you haven't got a fixed IP, you could also use DynDNS and have it mapped to a sub-domain such as company-name.dyndns.org and then on your PHP app you could have a cron job that gets the IP address from the domain name and updates it every minutes (I'm sure it's quickly run). It could then store it inside a config file, this way:

<?php

define('ALLOWED_IP_FILE', 'allowed-ips.inc.php');

$ALLOWED_DOMAINS = [
    'your-company.dyndns.org',
    'you-at-home.dyndns.org',
];

$allowed_ips = [];

foreach ($ALLOWED_DOMAINS as $allowed_domain) {
    $ip = gethostbyname($allowed_domain);
    if ($ip !== $allowed_domain) {
        // Store with the IP in the key and value for ease when checking the IP validity.
        $allowed_ips[$ip] = $ip;
    } else {
        fprintf(STDERR, "ERROR: Could not find the IP of $allowed_domain!\n");
    }
}

$allowed_ips_export = var_export($allowed_ips, true);
$config_file_content = <<<END_OF_CONFIG
<?php
// Don't edit! This config file is generated by cron-ip-address.php.
\$ALLOWED_IPS = $allowed_ips_export;

END_OF_CONFIG;

if (file_put_contents(ALLOWED_IP_FILE, $config_file_content) === false) {
    fprintf(STDERR, 'ERROR: Could not write config file ' . ALLOWED_IP_FILE . "\n");
}

This generates a config file to include in your app. Example of content generated if you run the script I wrote above:

<?php
// Don't edit! This config file is generated by cron-ip-address.php.
$ALLOWED_IPS = array (
  '142.250.203.99' => '142.250.203.99',
  '23.201.250.169' => '23.201.250.169',
);

Now, in your app, just include it and test the presence of the IP in the $ALLOWED_IPS array:

<?php

include ALLOWED_IP_FILE; // If this is declared in a common config file.
// include 'allowed-ips.inc.php'; // If you haven't got a common config file.

if (!isset($ALLOWED_IPS[$_SERVER['REMOTE_ADDR']])) {
    http_response_code(403);
    die('Sorry, you cannot access it from here.');
}