SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict
    Join Date
    Aug 2009
    Posts
    299
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Application Security

    Hi Chaps,

    I have a PHP Application, hosted on IIS 7 Server.

    The Application needs to be secure for a customer (based in Germany).

    The problem I face is that the only security I have used is cookies.
    The customer, however does not want to use cookies, due to the difficulty of managing these cookies at their end.

    Their solution would be to use some sort of IP Address based security, where only access from certain IP Addresses would be permitted.

    The problem I see with this is that the customer has numerous different 'sites' across Germany, which would have their own servers and therefore different IP Addresses and in some cases, no server at all.

    So my questions are:

    1. Is IP Address security a viable option?
    2. Would the customer's request be a valid concern?
    3. What would be the best practice of implementing the request?

    Many thanks

  2. #2
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    37
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why cant you just use username/password authentication using sessions?
    phpSiteMinder - website backup and file integrity monitoring.
    Been hacked? phpSiteScanner can help you clean your site up.

  3. #3
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1) It is viable addditional option, but I don't think you would be able to do without cookies (essentially all web-session mechanisms rely on them)
    2) I did not really understand the concern of customer. Is the concern: "we do not want to use cookies, because they are difficult to manage"?
    3) I think you should reiterate negotiation of what exactly they want.

  4. #4
    SitePoint Addict
    Join Date
    Aug 2009
    Posts
    299
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK, some of their divisions, might delete cookies on closing their browser, or each time they login to their PC, and they don't want to login each time, IP Address check would be preferable.

  5. #5
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    They are "the boss" of course, but I would not recommend that. If someone makes mess in system - who would be held responsible? To your application whole division might look like single IP address.

    Anyhow... if they insist on this solution - you have several options:
    1) Specify allowed addresses at firewall level (that would however provide all or nothing access, meaning, that no part of site would be accessible from non approved IP address)
    2) Specify allowed addresses at web-server level (in case of httpd using mod_access and .htaccess file you can specify which addresses would be able to open which url)
    3) Specify allowed addresses at application level (in PHP that would mean using $_SERVER['REMOTE_ADDR'] - this gives you most flexibility, but also requires most expertise on your part)

  6. #6
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    357
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    IP address validation is very unreliable. The client IP can be blocked from the web server by various proxy servers and some firewalls. If you want to restrict access to only certain computers maybe a VPN would be a more bulletproof solution.
    Doug G
    =====
    "If you ain't the lead dog, the view is always the same - Anon


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •