How to grant exclusive access to a web service from just those PCs?
July 17, 2007 8:41 AM   Subscribe

Using PHP/MySQL/javascript: I need a way to grant exclusive access to a web service from just 2 or more PCs sharing the same public IP address, which is dynamically assigned by the ISP; I can setup these PCs as needed, and I must make an outside PC has no access to the web service. The PCs run Windows XP.

I can code the web service as needed. I can hack the allowed PCs as needed.

The allowed PCs are on the same subnet with local IP 192.168.2.x, and the public IP is the same for every PC in the place, but the problem is that it's dynamically assigned by the ISP.

I can impose users of the allowed PCs to use a particular browser set up by me in some way, also in kiosk mode if necessary. The PCs are equipped with Windows XP.

It's ok if every PC in the local network has access to the web service, but this is not a requirement: only some PCs "must" have access to the web service, I don't care for the other ones in the network. PCs outside the network must have no access to the web service.

I need an idea or suggestions to accomplish this: it has not to be a unhackable bulletproof system, just a quick hack to setup in a few hours or a day, which could give users the feeling they cannot access the web service from no other PC than those provided on that network.

A possible solution: writing a small batch file which writes on every boot a special cookie in the browser folder of every allowed PC; server-side, the php script would check the data in the cookie against what I know it should be there, and if congruent allows access.

If some of you can think to easier or more reliable solutions I'm here waiting.

Thanks
posted by lion to Computers & Internet (8 answers total) 1 user marked this as a favorite
 
Why not simply use the authentication capabilities of your web server? If it's apache, you can use .htaccess and .htpasswd files. Search for implementation specifics, but it's fairly easy.

The local IP addresses on the user's network aren't going to matter at all, since they're NAT'ed to a single public address. If you don't want to use traditional authentication, you can use Allow From directive and specify an IP address or domain name.

Since the IP changes every now and then, you'll need to set up an account with DynDNS or another similar service. This maps your dynamically-assigned IP to an unchanging domain name. The mapping is traditionally accomplished by a service running on one of the PCs in your network that will always be on.
posted by odinsdream at 8:47 AM on July 17, 2007


Oh, I wasn't aware, but you should also check out the bit on the Allow From page that talks about UserAgent strings. If you can customize their browsers to send a custom user agent (which is possible with extensions on FireFox), you can restrict it to only specific computers within the target LAN. Cool stuff.
posted by odinsdream at 8:49 AM on July 17, 2007


How about requiring client certificates?
posted by uandt at 8:52 AM on July 17, 2007


Client certificates are the right way to restrict access to a certain PC. I know how to do this on IIS, and this should get you started with the Apache side.
posted by mrbugsentry at 8:56 AM on July 17, 2007


Damn. 10 seconds late.
posted by mrbugsentry at 8:56 AM on July 17, 2007


mrbugsentry, would you mind posting a quick primer on the IIS version (or just a link)? Thanks.
posted by yerfatma at 1:07 PM on July 17, 2007


As I said in the question, I needed a quick hack to accomplish the task, so even if the certificate solution can be explored it requires too much study and work for the actual requirements.

The suggestion of the possibility to check the User-Agent and change it on the browsers that will be used on the allowed PCs, filtering with the "Allow From" rule in .htaccess, is a nice quick solution, hackable of course but working good for the limited amount of time I'll need it.

With more time, I'll dig into the certificates method.
Thank you
posted by lion at 4:17 PM on July 17, 2007


yerfatma,

This article hits the high points:
http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html

-Get your website working over ssl (meaning get a cert for the server) -Get a cert for the client (buy one or issue it from your own CA) -Make sure the CA that issued the client cert is in the trusted root store on the server. Any cert issued by a trusted authority will be accepted by default -Set the site to require client certificates -If you want to restrict access to only certs issued by a particular authority, configure a CTL:
http://support.microsoft.com/kb/313071

posted by mrbugsentry at 8:59 AM on July 18, 2007 [1 favorite]


« Older When Good Goat Cheese Goes Bad   |   teaching in the US Newer »
This thread is closed to new comments.