I am working on a ISV that is developing kiosk system with Apache at the core. Considering my many years of software development is in Windows Application development, not web development, I am running into some issues with authentication. I am hoping to gain some insight from those of you that know that understand web development far better then I do.
Initially I thought that since the whole system is a kiosk system, each kiosk would have a different IP address, so I could simply differentiate by IP. Low and behold I have customers that is use solutions like NComputing, which allow one physical machine to be turned into 4~6 different kiosk's, all having the same IP address. So the obvious easy solution is to move to using Cookies. The problem I am having is figuring out how exactly to implement it. There are three different issues need to be implemented: 1: Making sure the browser is one of my kiosk browsers application (right now I am doing this by changing the user agent, but am open to other approaches) 2: Making sure each browser is uniquely identified. 3: Making sure that the number of browsers connected does not exceed the customers license. Right now the kiosk browser simply connects to the root of the application, index.php. The Apache module hooks the access checker (ap_hook_access_checker): A: Checks to see if there is a valid license. B: Checks to user agent string to see if it is a kiosk browser C: Based on the type of license, check to see how many clients have connected (based on the IP) in the last X seconds. When using cookies, where should I put the timer? Should I have the Apache module track when the last time a said cookie connected to the module or should I simply set the cookie to timeout in X seconds and renew it on each request? I am thinking it should work like this: A: Checks to see if there is a valid license. B: Check for the cookie C: There is a cookie, check to see if the cookie has expired, if so continue, otherwise update the system concerning the cookie and return OK. D: Checks to user agent string to see if it is a kiosk browser E: Based on the type of license, check to see how many clients have connected (based on the cookies) in the last X seconds. Later in the PHP code, I can use the cookie as the unique identifier. >From a security standpoint, is there anything I am missing? Sam