On Sun, 2010-06-06 at 20:31 -0500, Skip Evans wrote: > Hey all, > > I'm familiar with setting cookies in PHP and using REMOTE_ADDR > to get a visitor's IP address (or that of their gateway), but > not quite sure how to implement a robust mechanism that would > limit a user to logging in from only two different machines, a > requirement this client has on the project. > > I'd greatly appreciate hearing from people who have done this > or something similar, or suggestions people might have that > would give that oh so familiar, "D'oh!" moment. > > I have some ideas sketched out, setting cookies, etc, but not > sure how robust they'd be. > > Big Thanks! > Skip > > -- > ==================================== > Skip Evans > PenguinSites.com, LLC > 503 S Baldwin St, #1 > Madison WI 53703 > 608.250.2720 > http://penguinsites.com > ------------------------------------ > Those of you who believe in > telekinesis, raise my hand. > -- Kurt Vonnegut > Is this two machines at the same time, or two machines ever? I don't think there's any way you can guarantee either, unless you supply them with some form of closed binary that they are forced to use either instead of or with the browser, i.e. a Java applet, etc. A similar question to this came up on the list not so long ago, and there was no real conclusion at the end other than it can't really be done. Cookies can be deleted, IP addresses change all the time (either deliberately, by some proxy or even by the ISP itself issuing a dynamic IP address), even the MAC address (if you found a way to get at it) can change. About the only thing I've seen that might help was a device made for the Bloomberg stock market system, which was a small credit-card sized object which would read in a random pattern of flashes from the screen and produce a unique ID number which was then keyed back into the system. By relying on a physical dongle you can pretty much guarantee that a user is only on one system, but the project obviously becomes much more costly and complicated. If you do go the cookie route, maybe gather a bunch of information to store on the server against that cookie and the user. If the cookie is not detected the next time the user goes to log in, maybe force them to send an email requiring a manual unlock, and make them give a reason for either why the cookie was removed, or why the computer information has changed beyond the two computer profiles you've got stored for them. It's not foolproof, but might show your client why this isn't something that can be easily done, and is not something that should be decided on lightly, as there are many valid and genuine reasons why somebody might want to use more than two computers (i.e. they had a fire and lost those computers, they rebuilt a computer with a new OS, they upgraded the computer, a computer was stolen and needed to be replaced, they are away from their computer and had to use a public access one, etc. The list can go on and on.) Thanks, Ash http://www.ashleysheridan.co.uk
