I would like to capture the "computer name"/"device name" of the user. (Ex: Joes-iPhone) It seems like a nice touch to be able to see what devices have connected with the users login so they can see if there is unauthorized access to their account.
Over and over I see people say this is impossible from a web page for JavaScript, HTML, PHP, etc. Yet when I log into my bank, Facebook, Google. Low and behold, there is every device I've connected with. This means it is most definitely possible.
There was one instance where one of my accounts was logged into by someone and this was a big help in identifying what was going on and I love this feature now. I would like to implement this but am stuck in a city full of dead end roads!
Does anyone have any knowledge of how they are accessing this? Or even theories? I don't care what language or technique.
I'm very curious to see what people come up with. I do have an app for Facebook, so I could see the app accessing it and storing it for the browser site, but I have no app for the bank or Google and I have devices listed in Facebook that were not used within an app, only through the browser. To my knowledge I have never authorized any access to anything beyond what the browser is capable of, so there must be something I'm missing.
Short answer: It's true, it can't be done.
But why not??
Your device name is used when your device connects to your router -- but that's where it stops. Your router doesn't allow that information to be broadcast any further. When your computer/tablet/phone requests a web page, your router is the one actually asking for the page -- and he refers to himself by his public IP, which is shared by all the devices on your LAN.
Second-Best
What can be seen by external Internet entities is your user-agent (the type of browser you're using), which can give someone a pretty good idea of what operating system you're using, and therefore what sort of device you're on (mobile vs. desktop/laptop, Windows vs. Mac, etc.). The user-agent info is available as a string, and can be accessed by PHP via the $_SERVER['HTTP_USER_AGENT'] variable.
The PC name is only accessible through LAN (another PC connected to the same modem/router), if such a request hasn't been blocked on your PC. It is not distributed by browsers.
What browsers transmit is the browser info and operating system as well as the IP address. That's all. Some sites allow you to give a nickname to each machine so you can identify them, and they can then use cookies to remember which is which.
EDIT: The only thing I can see is that they could be using Java or Flash to do it.
Related
Sharing cookies from the browser to the electron app
I log in to my website. Then I start my electron application. I don't want to log in. I need cookies or tokens to log in. Is it possible to share cookies from the browser to the electron app?
Think about this from a security perspective: If any app could read any of the Browser's cookies, then it would be simple to spy on users or impersonate them from the outside (a malicious app, like spyware or something similar). So the answer is "maybe".
Firefox, for example, stores the cookies (assuming that you have not set a primary password for your profile) in an SQLite database in a well-defined folder. So you could definitely try to read them.
However, AFAIK most antivirus software is aware that this is a security problem and will thus nuke any app other than the browser which tries to access them.
So, as long as no antivirus software is installed and Firefox is used without a primary password, you "should be good".
However, this is not a good idea, even from a user perspective: The connection between "I logged in via my browser" and "I am logged in in the app" is not intuitively clear. Also, some (most) users may consider this a breach of trust. After all, if you read their cookies, what else will you read? Who guarantees that you only use the cookies from your particular webpage? An app "randomly" reading your cookies is kind of creepy if you think about it.
Then there's another hurdle to overcome: How do you decide which of the multiple browsers installed on the system (and even if uninstalled, there probably will still be the users' profiles left) is the "right" one? What do you do if multiple browsers have multiple session cookies for your webpage? All this is not as easy as it might seem in the first place.
I suggest you to look into some other technologies, like OAuth2, which may reduce the "login process" inside your app to a single click in case there's a session open for the device. How this is implemented specifically is out of scope for this answer (and hard to explain and understand without the required basic knowledge).
Background:
I'm a tech writer at our company. I dabble in Javascript from time to time, and I consider my js skill level to be maybe advanced beginner/early intermediate.
Anyway, we have Help content created by Adobe's RoboHelp (version 2017). The Help content is static HTML5 .htm pages. The Help gets installed into a folder as a bunch of static .htm pages on our users' computers when they install our product. The users open our .htm pages in their browser via the file:// protocol.
Our Goal:
On our first intro page of our Help, we're planning on showing a "What's New" .htm file inside of an iframe, but we only want to show it the first time a user accesses the documentation.
What I Know and Have Tried:
I know on a real web server, I'd probably just use cookies to control this. But on a local computer, cookies aren't persistent, and after the session closes, the local cookie storage gets deleted.
I know that Javascript accessing the file system unfettered is a security no no and isn't possible.
I've looked into the FileSystem API but the things I've read indicate that it is dead and not in the standard going forward.
My Question:
Is there some other way in Javascript to have limited trusted access to a single settings file etc for this kind of thing? If so, what is the best / recommended way that keeps the user's computer secure but allows us to store and modify settings in a limited fashion so the user has the best experience?
Note that many of these users probably won't have access to the Internet at all, since their computers will be on a factory floor, so a solution that doesn't require talking back to the Internet is ideal.
I assume most of our users log onto their computers with a standard (non-admin) level login. How many users on the same computer will vary, and I don't have that info, though I think it's likely there will be different shifts that use the same computer.
I'm planning on just storing something simple, like boolean values (ie True/False for if this is the first time they've seen the What's New page etc).
Some questions:
Does a user login? What sort of information is planned on being stored?
How many users will be using the same computer?
It's not strictly secure. I wouldn't store any passwords, and personally identifiable info in localStorage, however there are some caveats ( Storing Credentials in Local Storage ), https://softwareengineering.stackexchange.com/questions/152763/html5-localstorage-and-encrypted-sensitive-data ( however if it's on a computer not connected to the internet, then maybe something simple with encryption, might be ... okay )
Might have a look at localStorage.
https://stackoverflow.com/a/44358718/2026508
https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage
I have developed a e-com website in asp.net, it has a admin panel which is manage by site admin. As i have got the requirement from client, admin panel should be access only in his office system, can anybody help me on this, how can i restrict that for single machine. As per my knowledge i can restrict by internet Protocol address but client doesn't have static internet Protocol and can't validate by mac address because its workable only for IE. so, please suggest how can we achieve that.
You could use a certificate for this, however I honestly would advise that tying access to the admin section of a functioning business to a single specific device is a bad idea in general.
(The following is advice only based on real personal experience, and therefore somewhat subjective, but my philosophy is to never help a client shoot themselves in the foot, no matter how much they want to pay me to do it.)
If any of the following scenarios occur, your client will not be able to administer his site without getting you to help:
His computer explodes.
His office is broken into and his computer stolen.
There is a power outage in his office.
He is ill and needs to work from home.
Flood / Volcano / Zombie apocalypse.
Client goes on holidays and wants to make a change to the site from beside the pool using a device that for whatever reason does not support the certificate in question or that he didn't think to ask you to install the certificate on.
etc.
Murphy's law suggests that any or all of the above will occur at the exact time that you are not available/really don't want to have to deal with it/busy working for another client
If your client really wants secure access to the admin section of the site, you can't go wrong with having a specific Admin login section over HTTPS.
No-one can reasonably steal his login credentials "over the wire" this way...If the client is worried that someone might somehow steal his username+password, via key logger,over the shoulder, etc, then it's up to him to not access the site from a computer that's insecure (internet cafe, etc).
And if he insists that it must only be accessible from that specific machine then he has to decide if he wants to have his cake or eat it - either get a static IP address or not!
if possible Create a small windows application and install it in the Office machine
the windows application should create a dynamic link to the URL of the web site plus a query
string Contains the Current IP Address of the machine
(e.g) URL ="http://www.yourdomain.com?ip="+Stringvariable containing client current ip
Second Step ....
in your web application check for the Request.IPAddress compare it to the query string address
String ipAddress =
System.Web.HttpContext.Current.Request.UserHostAddress;
if(ipAddress==ipAddressFromQueryString)
// Continue Processing
else
// UnAuthorized Accesss
Note: You should Encrypt your query string in your windows app and decrypt it in your web application
There are other topics like this but none of them completely answer my problem.
I'm making a website only accessible for a small group of users. (like one team)
Now they should all have the possibility to go to the website and see information for them personally. And that without having to log in. Simply said: How to recognize a user without Login.
The problem is, those users will access that webpage 99% of time with their phone.
That means they'll access it trough WiFi OR 3G network making their IP not constant and in my opinion useless to track. Then I thought about the mac address, that's one thing that stays stable. But internet suggests it's not send to browser and so "unable to track".
Questions:
Is it really impossible to track a phones mac address or does a backdoor thing exist? (javascript/php/cookie/...). I do not want an app because the phones work on lots of different platforms.
Is there any other value or constant that I can use to identify a user without login?
You could login via PHP-parameters,
so the user can save a link like that to his bookmarks:
intranet/login.php?user=vincent&pwhash=8fe4c11451281c094a6578e6ddbf5eed
You should use localStorage - that way your user can just login once into your website and then onwards you can always get/set that value.
That's impossible to get the user mac address so don't bother yourself to do some magic to get the mac address of someone's mobile phone. Well based on experience we developed device finger printing or DFP and gathered as many info as we can from the users namely external IP, browser info such us prefererred language, user-agent, etc., screen resolution, geolocation etc. Then out of that info we have some algorithms to make a scoring schemes or matching schemes then store the info to our database. Every time a user visits the site we gather again the info then match it to our records. For example user1 is then determined if he scores more than 90% matching to our records.
Our company makes the web based application which is priced per workstation.
That means that user/pass credentials should only be used from one particular machine.
Currently what is happening that several users are sharing credentials and we do not have any way to prevent this if they are not doing it concurrently.
The nature on the application is such that user needs to use it once in a while so the inability to work concurrently does not bother the users much and the company loses it's possible revenues.
The application currently is purely AJAX without flash/activeX/Java applets.
The ideal solution would be to read the computer name or IP address of the client with javascript using "Shell.Network" scripting interface.
But this is impossible because of the strict security settings in Internet Explorer. I have to mention that cross browser functionality does not matter and the only browser supported is IE.
Searching google I came across this solution here http://www.reglos.de/myaddress/MyAddress.html but it requires JAVA applet so will not be very convenient.
Are there any other solutions for this?
Your licensing model is not consistent with the delivery model. Change one of them.
Set a cookie on the machine with an id. Retrieve the cookie each time the user logs in. If you see several different cookies alternating for a single user you know you've got something odd going on.
(Of course a single switch may just mean they've moved to a new PC as one off. )
Alternatively, price per usage, 'query' or some other item.
This kind of abuse can probably be detected moderately effectively using the Cookie technique that RichH suggested. At least blatant abuse can be detected quite easily (say 10 licenced users, 100 real users).
But of course, don't lock the user out, just monitor the situation and get your Sales people to call up suggesting that they buy more licences.
We do exactly the same (in terms of licensing and delivery), and I'm sure that you have good business reasons for not changing your model.
Track through sessions per user. Do not allow multiple sessions to a single user. To achieve this you will have to save the session ID into the database and check everytime a user logs in.
To help users who at times have a browser crash and relogin with new session, allow them to sign out their previous session... so you can kill the old session and instead register the new one.
Hope this is useful.
There's no easy answer as your clients (the software) are effectively anonymous and the users are self-identifying.
For IE "locking you out" (I'm hardly an IE expert), but can't the IE settings be set for particular domains? You could simply make it a requirement that the users configure their browsers to give your app superior access.
I don't see any reason why you can't have certain requirements for the users browser (i.e. only IE 6/7/8, these security settings, etc.).