1

I have been trying to solve this problem for a while now.

I have built an application which is running on our client's server. The client has to buy license for each user to use the system. So each user has a link on his/her computer to access the application with only that computer. There for each computer has to be registered for each user and stored in a database.

So I have to restrict the user from accessing the application using another computer/device. My question is how do I capture unique information from each computer using php (or any other language), so i can check this information each time the user is trying to login. I have learnt that u can only get browser information using php. So am looking for some ideas that can direct me to the right direction.

What I have tried is store unique cookies in each PC, and register them in database. But the problem with that is we always having a problem that some users clear their cookies an thus can't gain access to the app.

j0k
  • 21,914
  • 28
  • 75
  • 84
Sboniso Marcus Nzimande
  • 594
  • 3
  • 11
  • 24
  • 1
    I would try to get the MAC address of the logging in user from the connecting PC (there should be some code in C or C++, maybe it is also callable from PHP) and store the license for that MAC address. The only problem is they could change the network card (thus MAC will change), but this is not so common (or the chance is too small to happen) to deleting cookies. – shadyyx Dec 03 '12 at 09:59
  • Here is the code how to retrieve the client's MAC address: http://stackoverflow.com/questions/1420381/how-can-i-get-the-mac-and-the-ip-address-of-a-connected-client-in-php Aaargh, just read that client has to be on the same LAN to be able to retrieve his MAC address... Hmm, then I have no other idea right now... – shadyyx Dec 03 '12 at 10:01
  • @shadyx thank you dat will definitely going to the right direction – Sboniso Marcus Nzimande Dec 03 '12 at 10:15

2 Answers2

5

Linking a user to a computer is not a good idea. Why would you first create the independance and flexibility of a web application (assuming it is a web application, because it is PHP, or do you actually have command line users?), and then restricting it to a single device, which may break, get stolen... maybe the company doesn't have fixed workspots per user, but it's using a smaller number of computers for a larger number of part-time employees, so each user may use a different computer each day.

If you really would want such a restriction, you better just limit the number of sessions per user. That is: log the session ID's and the usernames of those sessions in a table. On each request, update the table to store the request date time so you can check for expired sessions. Using MySQL, you can make a table of storage type MEMORY, which is fast and very useful for session information. The data will be gone when you reboot the database server, but that's usually not an issue for this kind of information.

Now, there are to possibilities to continue:

  1. If a user logs in again on another PC or browser, it will recieve a new session id. In that case, during the login process, you may look in the sessions table to see if the user has another session id open. If so, block the logging in.

    If the session is timed out, for instance, when it is more than 15 minutes old, you may allow the login anyway and delete the old session.

    Disadvantage is that if a browser or PC crashes, the user has to wait the time-out period before they can continue working on another spot. This is probably not acceptable in any working environment.

  2. A better solution may be: a user can only have one 'active' session. If a user logs in from another workspot, they will automatically get a new session. If that happens, you can just accept the new session and remove the old session id. If they would continue working with the old session, you can see that that session is no longer in the sessions table, requiring them to login again.

    With that solution, a user would be able to quickly toggle between workspaces, without having to wait, but if two users would use the same username simultaneuously, they would have to re-login on practically each request.

But I would really think about it twice: why on earth would you want that restriction? If a company would be willing to use the software with more users than allowed, they would also be willing to just alter you PHP code to remove this check, which would be trivial.

Also, if you making using your software too annoying, they may decide not to use it at all and search an alternative. I think it would be best to trust your customers.

GolezTrol
  • 109,399
  • 12
  • 170
  • 196
  • The system runs on it own server on the clients network, that server is controlled by us, so they is no way they can alter the coding. This restriction was because the clients did not way to buy more licences, they used use one user account in different computers for more than one user. So that is why I decided in this restriction. – Sboniso Marcus Nzimande Dec 03 '12 at 10:23
  • Thanks for your sugestion though I will put it to consideration – Sboniso Marcus Nzimande Dec 03 '12 at 10:24
  • Fair enough, I'd choose option 2 then. – GolezTrol Dec 03 '12 at 10:25
0

I don't think you can archieve this using only PHP. PHP runs on the server, the only client info you can retrieve from there is the IP, and it does not work since it can be dynamic, or the same for all users if they are in the same LAN.

The idea would be to use something that runs in the client, then javascript pops as a good idea, but it has a problem: the user can see it, he can see how it checks or retrieves the information, so manipulating its behaviour is quite easy. Even if you were to retrieve the MAC of the user from javascript it wouldn't work, cause MAC can be changed.

I think you should have some type of exe (C, C++, C#, java for example) installed in the client to ensure they can't log from any other computer or device. Of course this should be installed and informed to the user before they can use the web app.

On a different note, why are you doing a web app that has to work only in 1 PC? I mean one of the great things of web app is they can be used almost in any PC/device.

Naryl
  • 1,858
  • 1
  • 9
  • 12