Re: [PHP] MAC address user recognition?
At 05:13 21.02.2003, Jason Sheets said: [snip] MAC addresses are used for on a LAN and not the Internet. Using a MAC address might work for identification on a LAN BUT in most operating systems you can easily change the effective MAC address on the card. Most dialup users will most probably have the same Mac address since DUN creates a fake MAC. If you were concerned about the overhead of SSL you could make only your login page go over SSL and the rest of your site go over normal HTTP. You can do this, but you cannot to pass the session token via cookie, since https://yourdomain.com and http://yourdomain.com are seen as different hosts, thus a cookie (default setting) will not be shared among these. -- O Ernest E. Vogelsinger (\)ICQ #13394035 ^ http://www.vogelsinger.at/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAC address user recognition?
At 06:28 21.02.2003, Chris Cook said:
[snip]
I have used MAC address authentication using the arp table and it worked for
what I used it for, but it does only work over the local network and
spoofing is an issue. Using a cookie in conjuction with a MAC address helps
the authentication, but it sounds like SSL is the way to go...
Does anyone have any suggestions on where to start learning SSL?
[snip]
Homepage of modssl:
http://www.modssl.org/
I have successfully set up a site using SSL and a client certificate.
Apache is configured to require a client certificate, however you could
easily modify this to have it optional, and perform some legal action if
the CS is missing or invalid.
Apache configuration (anonymized):
VirtualHost 1.2.3.4:443
ServerName myhost.com
DocumentRoot /etc/httpd/home/myhost.com
SSLEngine on
# this is the server certificate and key
SSLCertificateFile /etc/httpd/certs/myhost.com.crt
SSLCertificateKeyFile /etc/httpd/certs/myhost.com.key
# Client certificate handling
SSLVerifyClient require# may use Optional as keyword
SSLVerifyDepth 10
SSLCACertificateFile /etc/httpd/certs/myhost.com.ca.crt
SSLOptions +StdEnvVars +CompatEnvVars +FakeBasicAuth
/VirtualHost
In PHP, I check:
$cacert_ou = $_SERVER['SSL_CLIENT_S_DN_OU'];
$cacert_em = $_SERVER['SSL_CLIENT_S_DN_Email'];
if (!empty($cacert_ou) !empty($cacert_em)) {
// valid certificate - login the user
}
else {
// no or invalid certificate (not an option here)
}
The client certificate is set up in a way that the OU property
(organizational unit) holds the company identifier of the user, and the
Email property holds the user identifier. This is how my client generates
the certificates, I have to live with that.
In your case you could easily create your certificates to:
1 - not be password protected so anyone on the machine can transmit it
2 - have a unique topekn per machine in one of its properties (OU, for
example).
HTH,
--
O Ernest E. Vogelsinger
(\)ICQ #13394035
^ http://www.vogelsinger.at/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAC address user recognition?
So how are most people handling the situation you mentioned below? After getting verfified in a https, how is the session information being passed back to the http? Jeff - Original Message - From: Ernest E Vogelsinger [EMAIL PROTECTED] To: Jason Sheets [EMAIL PROTECTED] Cc: Leo Spalteholz [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, February 21, 2003 3:40 AM Subject: Re: [PHP] MAC address user recognition? If you were concerned about the overhead of SSL you could make only your login page go over SSL and the rest of your site go over normal HTTP. You can do this, but you cannot to pass the session token via cookie, since https://yourdomain.com and http://yourdomain.com are seen as different hosts, thus a cookie (default setting) will not be shared among these. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] MAC address user recognition?
One other thing you could do is simply set up SSL with your own certificate so that it will encrypt the connection and then run code via JAVA or some other client side applet that will get the MAC address from the client machine directly. You can then check the MAC against the addresses allowed. Since the connection is encrypted nobody knows that that is what you are checking. Of course there is still a potential for someone that you previously allowed access to find out how you are identifying them and use it against you later on, but there are also problems with identifying someone by their computer unless they keep the computer locked in a closet while they are away. I guess it depends on what you are protecting. National secrets etc. By the way, open SSL with self signed certs is a free method but it is not a good idea if you are needing to verify your credentials to the person coming in. Larry S. Brown Dimension Networks, Inc. (727) 723-8388 -Original Message- From: Leo Spalteholz [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 12:59 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] MAC address user recognition? On February 20, 2003 08:13 pm, Jason Sheets wrote: MAC addresses are used for on a LAN and not the Internet. Using a MAC address might work for identification on a LAN BUT in most operating systems you can easily change the effective MAC address on the card. Good call. I thought there was some fundemental problem I just couldn't remember enough from my networking class to put my finger on it. It would probably be better to look for some other form of identification like SSL certificates or a cookie with the secure bit on so it will only be sent over an SSL connection. Yeah I'm not super concerned about security and such, this is only a personal page so something simple will do the job. I think I'll just end up hacking together my own encryption algorithm and then storing encrypted passwords in a cookie. Hehe. Security through obscurity, everyones favorite way :) Thanks, Leo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAC address user recognition?
Remember that the mac address gets changed by devices on the network... -- Ray On Thu, 2003-02-20 at 20:29, Leo Spalteholz wrote: I've been thinking about how to do authentication and user recognition for my site without cookies. I had this idea but I don't really know if its possible at all. If I got the IP address from the request could I use ARP to get the MAC address for that IP? If so I could compare that MAC address with a (previously obtained) database of addresses and if it matches they would automatically be logged in. So I could preauthorize my friends and remember other users once they have signed up. It seemed like a cool idea but is this at all possible or am I just insane? Thanks, Leo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAC address user recognition?
MAC addresses are used for on a LAN and not the Internet. Using a MAC address might work for identification on a LAN BUT in most operating systems you can easily change the effective MAC address on the card. It would probably be better to look for some other form of identification like SSL certificates or a cookie with the secure bit on so it will only be sent over an SSL connection. If you were concerned about the overhead of SSL you could make only your login page go over SSL and the rest of your site go over normal HTTP. Jason On Thu, 2003-02-20 at 20:29, Leo Spalteholz wrote: I've been thinking about how to do authentication and user recognition for my site without cookies. I had this idea but I don't really know if its possible at all. If I got the IP address from the request could I use ARP to get the MAC address for that IP? If so I could compare that MAC address with a (previously obtained) database of addresses and if it matches they would automatically be logged in. So I could preauthorize my friends and remember other users once they have signed up. It seemed like a cool idea but is this at all possible or am I just insane? Thanks, Leo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAC address user recognition?
I have used MAC address authentication using the arp table and it worked for what I used it for, but it does only work over the local network and spoofing is an issue. Using a cookie in conjuction with a MAC address helps the authentication, but it sounds like SSL is the way to go... Does anyone have any suggestions on where to start learning SSL? Thanks, Chris From: Jason Sheets [EMAIL PROTECTED] To: Leo Spalteholz [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: [PHP] MAC address user recognition? Date: 20 Feb 2003 21:13:16 -0700 MAC addresses are used for on a LAN and not the Internet. Using a MAC address might work for identification on a LAN BUT in most operating systems you can easily change the effective MAC address on the card. It would probably be better to look for some other form of identification like SSL certificates or a cookie with the secure bit on so it will only be sent over an SSL connection. If you were concerned about the overhead of SSL you could make only your login page go over SSL and the rest of your site go over normal HTTP. Jason On Thu, 2003-02-20 at 20:29, Leo Spalteholz wrote: I've been thinking about how to do authentication and user recognition for my site without cookies. I had this idea but I don't really know if its possible at all. If I got the IP address from the request could I use ARP to get the MAC address for that IP? If so I could compare that MAC address with a (previously obtained) database of addresses and if it matches they would automatically be logged in. So I could preauthorize my friends and remember other users once they have signed up. It seemed like a cool idea but is this at all possible or am I just insane? Thanks, Leo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MAC address user recognition?
On February 20, 2003 08:13 pm, Jason Sheets wrote: MAC addresses are used for on a LAN and not the Internet. Using a MAC address might work for identification on a LAN BUT in most operating systems you can easily change the effective MAC address on the card. Good call. I thought there was some fundemental problem I just couldn't remember enough from my networking class to put my finger on it. It would probably be better to look for some other form of identification like SSL certificates or a cookie with the secure bit on so it will only be sent over an SSL connection. Yeah I'm not super concerned about security and such, this is only a personal page so something simple will do the job. I think I'll just end up hacking together my own encryption algorithm and then storing encrypted passwords in a cookie. Hehe. Security through obscurity, everyones favorite way :) Thanks, Leo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
