On July 26, 2011 19:36 , Anurag Kapur <anuragka...@gmail.com> wrote:
I am looking for ways of detecting a specific mobile device (example:
my iPhone and not my friends) accessing a resource on
my publicly accessible Apache web server so that I can restrict access
to certain devices only.
Just like there are ways of detecting the user agent and IP address of
the device where the request originates from and restricting access
accordingly, is there a way to do something similar for an iPhone for
example, connected to 3G network (not wifi)?
The type of network doesn't make a difference, unless you're basing
device identification on a device's MAC address on a local area
network. Even then, MAC addresses can be spoofed.
I'm not aware of anything intrinsic to the iPhone -- or any other client
-- that uniquely identifies the device. And even if there was
something, you would not be able to rely on it since malicious
clients/devices (e.g., your friends') could simply lie about it. This
is (in part) why you can't rely on user agent or IP address to identify
devices.
The standard solution in this sort of situation is for you to set up
your web server to require end user authentication. You would then
visit the web page using your device, and enter your username and
password. Your web server could then set a cookie in your device's web
browser that would be sent on every request that your device makes to
your web server, and you would not be have to authenticate again until
the cookie expired.
Another solution is to use SSL client certificates. This gets around
the need for usernames, passwords, and cookies, but it requires you to
use HTTPS for restricted content (which is a good thing to do, even if
you're not using SSL client certificates). Configure Apache HTTP Server
to require client certificates for restricted content, generate a
certificate, and load the certificate onto your iPhone. Your web server
will then be able to uniquely identify your iPhone and differentiate it
from all other devices. If the private key for your certificate is
somehow stolen (which is unlikely unless you leave it lying around), you
can revoke the old certificate, generate a new private key, and obtain a
new certificate.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
