How to grant exclusive access to a web service from just those PCs?
July 17, 2007 8:41 AM Subscribe
Using PHP/MySQL/javascript: I need a way to grant exclusive access to a web service from just 2 or more PCs sharing the same public IP address, which is dynamically assigned by the ISP; I can setup these PCs as needed, and I must make an outside PC has no access to the web service. The PCs run Windows XP.
I can code the web service as needed. I can hack the allowed PCs as needed.
The allowed PCs are on the same subnet with local IP 192.168.2.x, and the public IP is the same for every PC in the place, but the problem is that it's dynamically assigned by the ISP.
I can impose users of the allowed PCs to use a particular browser set up by me in some way, also in kiosk mode if necessary. The PCs are equipped with Windows XP.
It's ok if every PC in the local network has access to the web service, but this is not a requirement: only some PCs "must" have access to the web service, I don't care for the other ones in the network. PCs outside the network must have no access to the web service.
I need an idea or suggestions to accomplish this: it has not to be a unhackable bulletproof system, just a quick hack to setup in a few hours or a day, which could give users the feeling they cannot access the web service from no other PC than those provided on that network.
A possible solution: writing a small batch file which writes on every boot a special cookie in the browser folder of every allowed PC; server-side, the php script would check the data in the cookie against what I know it should be there, and if congruent allows access.
If some of you can think to easier or more reliable solutions I'm here waiting.
Thanks
I can code the web service as needed. I can hack the allowed PCs as needed.
The allowed PCs are on the same subnet with local IP 192.168.2.x, and the public IP is the same for every PC in the place, but the problem is that it's dynamically assigned by the ISP.
I can impose users of the allowed PCs to use a particular browser set up by me in some way, also in kiosk mode if necessary. The PCs are equipped with Windows XP.
It's ok if every PC in the local network has access to the web service, but this is not a requirement: only some PCs "must" have access to the web service, I don't care for the other ones in the network. PCs outside the network must have no access to the web service.
I need an idea or suggestions to accomplish this: it has not to be a unhackable bulletproof system, just a quick hack to setup in a few hours or a day, which could give users the feeling they cannot access the web service from no other PC than those provided on that network.
A possible solution: writing a small batch file which writes on every boot a special cookie in the browser folder of every allowed PC; server-side, the php script would check the data in the cookie against what I know it should be there, and if congruent allows access.
If some of you can think to easier or more reliable solutions I'm here waiting.
Thanks
Client certificates are the right way to restrict access to a certain PC. I know how to do this on IIS, and this should get you started with the Apache side.
posted by mrbugsentry at 8:56 AM on July 17, 2007
posted by mrbugsentry at 8:56 AM on July 17, 2007
Damn. 10 seconds late.
posted by mrbugsentry at 8:56 AM on July 17, 2007
posted by mrbugsentry at 8:56 AM on July 17, 2007
mrbugsentry, would you mind posting a quick primer on the IIS version (or just a link)? Thanks.
posted by yerfatma at 1:07 PM on July 17, 2007
posted by yerfatma at 1:07 PM on July 17, 2007
Response by poster: As I said in the question, I needed a quick hack to accomplish the task, so even if the certificate solution can be explored it requires too much study and work for the actual requirements.
The suggestion of the possibility to check the User-Agent and change it on the browsers that will be used on the allowed PCs, filtering with the "Allow From" rule in .htaccess, is a nice quick solution, hackable of course but working good for the limited amount of time I'll need it.
With more time, I'll dig into the certificates method.
Thank you
posted by lion at 4:17 PM on July 17, 2007
The suggestion of the possibility to check the User-Agent and change it on the browsers that will be used on the allowed PCs, filtering with the "Allow From" rule in .htaccess, is a nice quick solution, hackable of course but working good for the limited amount of time I'll need it.
With more time, I'll dig into the certificates method.
Thank you
posted by lion at 4:17 PM on July 17, 2007
yerfatma,
This article hits the high points:
http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html
-Get your website working over ssl (meaning get a cert for the server) -Get a cert for the client (buy one or issue it from your own CA) -Make sure the CA that issued the client cert is in the trusted root store on the server. Any cert issued by a trusted authority will be accepted by default -Set the site to require client certificates -If you want to restrict access to only certs issued by a particular authority, configure a CTL:
http://support.microsoft.com/kb/313071
posted by mrbugsentry at 8:59 AM on July 18, 2007 [1 favorite]
This article hits the high points:
http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html
-Get your website working over ssl (meaning get a cert for the server) -Get a cert for the client (buy one or issue it from your own CA) -Make sure the CA that issued the client cert is in the trusted root store on the server. Any cert issued by a trusted authority will be accepted by default -Set the site to require client certificates -If you want to restrict access to only certs issued by a particular authority, configure a CTL:
http://support.microsoft.com/kb/313071
posted by mrbugsentry at 8:59 AM on July 18, 2007 [1 favorite]
This thread is closed to new comments.
posted by uandt at 8:52 AM on July 17, 2007