On July 26, 2011 19:36 , Anurag Kapur <anuragkapur@xxxxxxxxx> wrote:
I am looking for ways of detecting a specific mobile device (example: my iPhone and not my friends) accessing a resource on my publicly accessible Apache web server so that I can restrict access to certain devices only.Just like there are ways of detecting the user agent and IP address of the device where the request originates from and restricting access accordingly, is there a way to do something similar for an iPhone for example, connected to 3G network (not wifi)?
The type of network doesn't make a difference, unless you're basing device identification on a device's MAC address on a local area network. Even then, MAC addresses can be spoofed.
I'm not aware of anything intrinsic to the iPhone -- or any other client -- that uniquely identifies the device. And even if there was something, you would not be able to rely on it since malicious clients/devices (e.g., your friends') could simply lie about it. This is (in part) why you can't rely on user agent or IP address to identify devices.
The standard solution in this sort of situation is for you to set up your web server to require end user authentication. You would then visit the web page using your device, and enter your username and password. Your web server could then set a cookie in your device's web browser that would be sent on every request that your device makes to your web server, and you would not be have to authenticate again until the cookie expired.
Another solution is to use SSL client certificates. This gets around the need for usernames, passwords, and cookies, but it requires you to use HTTPS for restricted content (which is a good thing to do, even if you're not using SSL client certificates). Configure Apache HTTP Server to require client certificates for restricted content, generate a certificate, and load the certificate onto your iPhone. Your web server will then be able to uniquely identify your iPhone and differentiate it from all other devices. If the private key for your certificate is somehow stolen (which is unlikely unless you leave it lying around), you can revoke the old certificate, generate a new private key, and obtain a new certificate.
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx