On Sun, Jun 06, 2010 at 08:31:22PM -0500, Skip Evans wrote: > Hey all, > > I'm familiar with setting cookies in PHP and using REMOTE_ADDR > to get a visitor's IP address (or that of their gateway), but > not quite sure how to implement a robust mechanism that would > limit a user to logging in from only two different machines, a > requirement this client has on the project. > > I'd greatly appreciate hearing from people who have done this > or something similar, or suggestions people might have that > would give that oh so familiar, "D'oh!" moment. > > I have some ideas sketched out, setting cookies, etc, but not > sure how robust they'd be. As Ash said, this has been discussed recently on the list. Mostly the answer was, "Yes, but you could hack that system...." How much that matters depends on what you're protecting. Obviously, you have to ask the user for a username and password. Hash the password and compare it to the hash stored when the user originally registered. When logging in, the login routine should also store an IP and browser ID. Store this information in a cookie, and recall it when the user tries to access another page on the site. (Don't store the password in the cookie.) If the user ID, IP and browser ID don't match, make them login again. And of course, set a time limit on the cookie. Yes, you can hack the IP. Yes, you can hack the browser ID. So again, it depends on what you're trying to allow access to. But a system such as the above should suffice for most applications. If your needs are so stringent that such a system wouldn't work, you may find yourself asking extra security questions at login, storing a random hash in the database and in a cookie (with a time limit on it), logging all access attempts, and comparing the hash in the database with the cookie hash at each page access. Perhaps even generating a new hash at each page access. And even then.... Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
