JSP login from only a single pc

[carmelo]

Hi everybody,
I need to develop a login system for users authentication, in a way
that after the first login the user can enter the site only using the
same pc as the first time he/she logged in.
I saw this type of logging system... Anybody has any idea about how to
do that?


Thank you very much for your help
Carmelo

-
http://carmelosaffioti.blogspot.com
-

 

[HightowerC]

Hi everybody,
I need to develop a login system for users authentication, in a way
that after the first login the user can enter the site only using the
same pc as the first time he/she logged in.
I saw this type of logging system... Anybody has any idea about how to
do that?

Thank you very much for your help
Carmelo

-http://carmelosaffioti.blogspot.com
-

Ithe user's computer has a static IP address, you could store their IP
address in your database, and verify against that on subsequent login
attempts.

Hightower

 

[Lew]

Ithe user's computer has a static IP address, you could store their IP
address in your database, and verify against that on subsequent login
attempts.

In general that's an ineffective solution. Even "static" IPs can change for
legitimate reasons, and more than one computer can (and frequently do) share
an IP address.

 

[Mayeul]

Hi everybody,
I need to develop a login system for users authentication, in a way
that after the first login the user can enter the site only using the
same pc as the first time he/she logged in.
I saw this type of logging system... Anybody has any idea about how to
do that?

Depends of what you mean by the same PC. There's no real notion of 'same
PC' in the software world.

- You could check for the same IP address, but another PC at the same
place may have the same address. And the PC's address may change if used
elsewhere or with volatile IP addresses.

- You could check for a session cookie , but cookies may be deleted. And
it's rather easy to copy a session cookie to another PC, if you're
trying to defend against that.

- You could try and implement something similar as the 'same PC'
policies Microsoft and some other vendors implement to check a software
license is not run on the hardware it is attached to. Check for devices
models & ids, network adapter MAC address and so on, I don't really
know. But there's no way to check for that with generic web protocols,
so you'd need some ActiveX control or likewise. And you get the risk a
PC magically becomes a new PC when changing some hardware parts.

 

[Dave Miller]

Hi everybody,
I need to develop a login system for users authentication, in a way
that after the first login the user can enter the site only using the
same pc as the first time he/she logged in.
I saw this type of logging system... Anybody has any idea about how to
do that?


Thank you very much for your help
Carmelo

-
http://carmelosaffioti.blogspot.com
-

As mentioned by others, you could use cookies and / or client side code
to gather information or write information to the client's disk for
later retrieval.

If you can post the why and what you're trying to accomplish, perhaps a
better solution will come to mind.

 

[Arne Vajhøj]

I need to develop a login system for users authentication, in a way
that after the first login the user can enter the site only using the
same pc as the first time he/she logged in.
I saw this type of logging system... Anybody has any idea about how to
do that?

There are no 100% certain way of doing this.

And I would recommend against trying - it will just annoy
your users and provide little value.

Arne

 

[Nigel Wade]

Hi everybody,
I need to develop a login system for users authentication, in a way
that after the first login the user can enter the site only using the
same pc as the first time he/she logged in.
I saw this type of logging system... Anybody has any idea about how to
do that?


Thank you very much for your help
Carmelo

You might try doing this using client certificates. You could issue a client
certificate for the client host on registration. Then make it a requirement
that subsequent connections be via SSL, and enforce client validation using
that certificate.

However, I don't know how this would behave, for example, if the client is
behind a NAT router where all the server sees is the IP of the NAT router.

 

[carmelo]

Thank you guys for your answers.

I think I can solve my problem getting the client MAC address... Do
you know how can I get the client MAC address using JSP?


Thank you for your help
Cheers
Carmelo

 

[Donkey Hottie]

Thank you guys for your answers.

I think I can solve my problem getting the client MAC address... Do
Great!


you know how can I get the client MAC address using JSP?

D'oh


Well. If the user is in the Internet, you can't. AFAIK Routers to not pass
that info thru.

If the user is in a LAN, there is a change to do that.

I said to google: "java arp" and got some examples. ARP (Address Resolution
Protocol) keeps up certain tables (mappings, IP-address, MAC) that you may
be able to examine.

 

[Dave Miller]

Thank you guys for your answers.

I think I can solve my problem getting the client MAC address... Do
you know how can I get the client MAC address using JSP?


Thank you for your help
Cheers
Carmelo

Nothing within HTTP gathers or uses MAC addresses. MACs can be spoofed
pretty easily:

http://www.nthelp.com/NT6/change_mac_w2k.htm

JSP is server side - it has no access to client resources or information
except what's passed to it. You'd need something running on the client
(javascript, applet, ActiveX, etc.) to gather the MAC and pass it on.

 

[carmelo]

What do you think about client certificates? Can I use them for this
purpose? Is it possible to implement them using JSP?

 

[Dave Miller]

What do you think about client certificates? Can I use them for this
purpose? Is it possible to implement them using JSP?

Certificates are public / private key pairs - they don't identify the
source of the query.

The only way that I can think of to do this in Java would be to use a
login applet that is signed so that it can access the user's system. The
applet would find unique system information (disk serial #, processor
type, etc.) with which to build a profile to pass back to the server.
The server would then check the profile against the profile created when
the user first signed on.

All that said, there's got to be an easier way to guard against whatever
it is you're trying to stop. Post it (or send an e-mail from the below
link) if you want more holistic help.

 

[Arne Vajhøj]

What do you think about client certificates? Can I use them for this
purpose? Is it possible to implement them using JSP?

Client certificates only indicates that the user has the used
certificate. It does not say anything about whether he has it on a
USB stick and moves it around or whether he has installed it on
multiple PC's.

You can access certificate inform from JSP - something was added
to the servlet specification around J2EE 1.3 I think.

Arne

 

[Arne Vajhøj]

I think I can solve my problem getting the client MAC address... Do
you know how can I get the client MAC address using JSP?

You can not.

Arne

 

[carmelo]

Certificates are public / private key pairs - they don't identify the
source of the query.

The only way that I can think of to do this in Java would be to use a
login applet that is signed so that it can access the user's system. The
applet would find unique system information (disk serial #, processor
type, etc.) with which to build a profile to pass back to the server.
The server would then check the profile against the profile created when
the user first signed on.

All that said, there's got to be an easier way to guard against whatever
it is you're trying to stop. Post it (or send an e-mail from the below
link) if you want more holistic help.

Thank you for your answer Dave.
I don't know if is there any other easier way, but I'm trying to stop
users logging into the web site from other PCs than theirs...

 

[Nigel Wade]

Client certificates only indicates that the user has the used
certificate. It does not say anything about whether he has it on a
USB stick and moves it around or whether he has installed it on
multiple PC's.

You can access certificate inform from JSP - something was added
to the servlet specification around J2EE 1.3 I think.

Arne

You can include information in a cert. which, once signed, can't be altered. You
could presumably include the hostname for which the cert. was valid within the
cert. (server certs. certainly contain the hostname for which they are valid).
Of course, if the user can control the hostname then that's not much additional
security, and it most likely wouldn't be usable in any situation where dynamic
hostnames were involved.

 

[Mayeul]

Thank you for your answer Dave.
I don't know if is there any other easier way, but I'm trying to stop
users logging into the web site from other PCs than theirs...

Okay. So you mean, you want to discriminate against people that would
connect from a friend's PC, or from a library's PC? Against people that
do not own any computer of their own? Should people that own more than
one computer be allowed from all of them?

On second thought, it is true that 'checking users connect from the same
PC' and 'stop users logging into the web site from other PCs than
theirs' are different requirements.
Still, I do not feel you really explained what you're trying to stop
when stopping users that log with another PC than their own.

 

[carmelo]

Okay. So you mean, you want to discriminate against people that would
connect from a friend's PC, or from a library's PC? Against people that
do not own any computer of their own? Should people that own more than
one computer be allowed from all of them?

On second thought, it is true that 'checking users connect from the same
PC' and 'stop users logging into the web site from other PCs than
theirs' are different requirements.
Still, I do not feel you really explained what you're trying to stop
when stopping users that log with another PC than their own.

Mayeul, the login system should recognize if the user is connecting
from his/her PC or from another one. Users can access only if
(user,password,system) are valid, not only (user,password). I need to
develop a system on which, for logging, is not enough to have the
correct (user,password) couple, but is required an information with
which it is possible to identify the user system...
I hope that now is clear

 

[Nigel Wade]

Mayeul, the login system should recognize if the user is connecting
from his/her PC or from another one. Users can access only if
(user,password,system) are valid, not only (user,password).

I don't think there is any way to do this. None which can't either be
circumvented by the user, or won't break when part of the user's valid system
is replaced.

I initially thought client certs. might do, but they are really only useful for
identifying the user. They might identify the system in a highly controlled
environment but that's not applicable in your case. Public/private keys are of
no use because, again, they only identify a user not a system.

Using hardware identification is problematic, just ask any user of a validated
Microsoft OS, or license manager administrator. The MAC address is not secure
because there are network cards for which the MAC address can be configured.
You also have the problem of the user not being able to access your system if
their MAC address changes for any reason. The same applies to pretty much any
other component of a PC.

I need to
develop a system on which, for logging, is not enough to have the
correct (user,password) couple, but is required an information with
which it is possible to identify the user system...
I hope that now is clear

Yes, it's clear what you want to achieve (although I don't understand why).

I know of no mechanism to achieve what you want, never mind from Java.

 

[Lew]

Mayeul, the login system should recognize if the user is connecting
from his/her PC or from another one. Users can access only if
(user,password,system) are valid, not only (user,password). I need to
develop a system on which, for logging, is not enough to have the
correct (user,password) couple, but is required an information with
which it is possible to identify the user system...
I hope that now is clear

The question was why. All you did was restate what you'd already said. We're
interested in what benefit this would provide, other than angering your users
and limiting the usefulness of your system.