I'm developing a web application that will be accessed by many users on an intranet. At almost every time I would like the server to know the clients that have logged unto the system. The idea that I have currently is that of pinging machines (clients) that the users are sitting on. Every time the user logs in, I would like some code to capture the IP address for the user's machine and send it to the server. The code I have is using json which is however limiting because I will not always have internet access on the intranet to access 'http://smart-ip.net/geoip-json?callback=?'. Is there someone with alternative ideas that can help? I would really like to get the IP addresses for users as they log in.
If there is someone going through the problem I posted above they may find my solution helpful.
I have devised an algorithm yet to be implemented. The algorithm gets each user's IP via the simple $_SERVER['REMOTE_ADDR'] using php and using using some JSP to constantly ping the user from the server to check the user's connection status. To ensure absolute availability for the user the client also uses JS to determine user activity on the application and sends some infor to the server via Ajax if the user is inactive for a given number of minutes. I really think this will work especially that it has worked on my paper work. I will share my experience when I finally implement my thinking.
Related
I have a web application that has form based authentication.
the application has registration functionality also. Since last few weeks, i have observed that some users with specific domain is making fake entries into the website and getting the benefits as We do not have any approval workflow.
this user either do it manually or run some script. We thought that we can restrict the registration process as per IP based, however this is not possible to get the visitor exact IP address using C# (please correct if i am wrong).
Can we do it using some other techniques. our requirement is - single registration from a machine per 2 days.
unfortunately I would call this mission impossible.
Idea 1: IP address. The user can use a proxy to register multiple accounts depending on how many proxy he can find (there are a bunch on the internet for free)
OR they could just fake the ip package by putting a random ip in the header. Since all they need is to register so it doesn't matter if the confirmation message was sent to another random guy
Idea 2: one registration per machine. I could fake as many machines as I want with virtual machine and you will have no way to tell from http request.
Alternatively I could just fake all the information with raw http request and I can do that with a script with no issue.
And from what I know you don't have the system right to read hardware id from js (correct me if im wrong)
No method is guarantee to restrict 2 registration per day but IP based method should work against most normal users. Do keep in mind that everyone using the same router could have the same IP (example school, public wifi in apartment)
You could find out the user's IP address within HttpContext object
Whatever your restriction would be - it will be based on the data the browser sends (as long you restrict a specific computer).
Your main desire is to create a "footprint" on that machine in order to use it later - per request.
Whatever your manipulation would be, you should also obfuscate your JS code.
for example, on pageload code you can request for httpheaders dedicated to that machine and save them in cache, then you generate a guid for the client which it suppose to use in order to register.
another option is to use AES to encrypt the data before sending it "on the wire", that way you won't be able to manipulate it.
the most important thing is that once you "drop" a js code on the client he can do whatever he wants, the question is how hard it would be.
**edit:
a more secured way but more complicated that i have once used is creating a sync-key.
an async ajax call to the server requesting an encryption key.
the server call will save the new guid-key in memory and will generate a new one for each request.
you can use this idea to keep track of user debug and browser behavior.
as debuging will hold the code from running the sync key will be change and you can "catch" him.
Neither cookies nor IP can protect against fake entries.
You should look at it from another side. You get unwanted entries and you don't know if it's an automated bot, or spammer, or someone who just doesn't care about your data. Instead of banning entries you should think how to validate them. For example, if you get "aaaaa" as a name and "bbbbb" as an email address - add, at least, regexp validation on client and server side to ensure you get data in a required format. Next level would be to verify the email address by querying the mail server or sending validation email. This will not only help to stop spammers, but also people who doesn't care. If you think it's an automated bot - add a captcha. In case of emergency - ban IP in the web.config (See ASP.Net How to limit access to a particular IP address to a particular page through web.config file (.htaccess similar)?)
I need to somehow detect the IP address of some of my website visitors and let them access the website without loggin in. Currently the content of the website is password protected and the visitors should log in in order to get access to the content. But I was wondering if there is a way to let some of our customers to get access without logging in by detecting their IP address.
Is this possible? If yes, what's the best solution?
Thanks
First off; this shouldn't be a Javascript question. You can't write site security in Javascript, because it runs on the client's computer, and you can't trust that computer. They could just open devtools and replace "if (loginOk())" with "if (true)"
Usually, this is accomplished not via IP address (which is pretty easily spoofed) but with some sort of randomized cryptographic hash given to them as a cookie. I can summarize it for you in a short way, but you'll want to look up the idea of "oauth tokens".
User logs in using their username and password
In the Response to their login action, the server sets cookie 'mysite_login_token' to a highly randomized string based off of their user information and the current date, ie 'noonewilleverguessthisstringofletters' (well, no, not that exactly - like I said, read more specialized articles on the subject).
In all subsequent requests to sensitive information, the server checks the sent value of 'mysite_login_token', and makes sure it matches the stored value for that username.
If the user logs off, then the server deletes its copy of that token so it can't be used again.
you can't in pure javascript; you can use a server side service using .net or php and use XHR to fetch the result
The IP address could be useful for making an initial guess at who might be on your system if no login or cookie is presented. The IP can be used to obtain their approximate location or for logging the activity of anonymous users. The cookie is certainly a better way to re-identify a client machine than an IP, because dynamic IP's change periodically. Still identifying a machine is not the same as identifying a particular user. The IP or cookie for a machine at a public library won't identify a particular user. See: geolocation website
We've just developed a small Facebook puzzle that people win some gifts from our customer. I'd like to ask a few questions since I'm pretty stuck despite tried lots of things. First I'd like to write what we have and then will explain our problems.
What we did so far:
Root of application (/) checks for signed_request in POST params, extracts information from it to see if we've registered the logged in user into our database. This checks are also used to understand if the request is sent from Facebook or not to prevent requests coming outside of Facebook. (will write why we want this)
Once the application is successfully rendered, Facebook JS API takes place, does its checks and sets the fbsr cookie. We use that cookie information while processing ajax requests to check if the request really belongs to the logged in user (e.g.: scores being sent for a user belong to the logged in user).
We implemented CSRF protection and another protection to check if the requests are POST and more specifically AJAX requests and return 40x if not.
Problems:
Despite I do some checks to prevent spoofed scores, I couldn't think of a way that the logged in user could improve its own scores by simply calling the same JS code I do for real scores. We just ignored this for some time until we just found out that some people seem to take advantage of this bug.
One way I thought of is to ignore all requests except coming from Facebook. Since the ajax requests are blocked (cross site) we should have been safe. However this leaded to another problem that, once we redirect users to e.g. leaderboard the signed_request data is lost and our index page returns 40x once the user tries to go back since our application thinks that the user tries to visit our application outside of Facebook.
I hope that I made our problem clear. Gaming time is calculated by Flash (game is programmed in AS3) and it's sent via JavaScript methods to server side. We could have done it in Flash but that only prevents our problem from becoming trivial. Afterall we'd have the same problem if we had implemented the game in HTML5.
Any thoughts, suggestions are really welcome and thanks for your feedback!
This is a bug by design. You are calculating the scores on client side and then send them to the server. The server has no way to validate if the score is correct. This can ALWAYS be faked by clever users.
Never ever ever calculate things that could give users advantage on clientside. Clientside is evil. Everything on clientside can be manipulated - no matter how hard you try.
Calculate your scores on the server and use the client side only to display them. Every other solution is crackable.
I have a Ruby on Rails 3 application, and I want to be able to see a list of who is currently online. For example user1, IP address, and country. I then want to be able to open a chat / push messages to this user until they leave my site.
How can I accurately monitor who is currently on the site and instantly remove the user from the list when they leave?
I then can talk to them via faye pub/sub.
How can I accurately monitor who is currently on the site and instantly remove from list when they leave?
Well using HTTP you can not do this "instantly" in a browser. Almost all solutions I see use a heartbeat technique. Every X seconds, a request is sent from the browser (using Ajax), that tells if the user is online. If you haven't heard from the user in x heartbeats, you regard the user as disconnected - even Facebook uses this, it seems. I will recommend you to drop your requirement for instant, unless it's really important.
Another approach is to implement Flash or Silverlight, to make a socket connection to the server. But the demand on the server is high, and if many people is on your site, you will run into trouble with ports and so on.
I think this is not so much related with Ruby on Rails... but this is very hard to implement in HTTP with a scripting language only. The server does not know whether a user has closed the browser or not. The server just sends the requested page data to the user and closes the connection.
You would rather have to integrate Ajax or Flash to make things easier. I have seen some people developing chat programs with Flash, and it seems to work much better than any other Ajax-implemented chat programs.
Chat is very unfavorable in a web browsing context, since the page will be reloaded as the user clicks a link. If you are thinking about building an application that only supports a chat feature, you probably want to look something other than Ruby on Rails. For example, Node.js will be a good one.
Can someone illustrate how I can get typing status of the other party with JavaScript?
UPDATE
Can someone recommend a one-to-one open source chatting application, preferably written in PHP? I only found open source chatting rooms which are for chatting among all onliners, but I just need a one-to-one chatting.
Here are a list of PHP-based open-source instant messaging software.
Some of those might be relevant for you.
For example, if you had an text area #chat then you could use this code to attach the event:
document.getElementById('chat').addEventListener('keydown', FUNCTION HERE, false);
See http streaming and some ready solutions here: http://ajaxpatterns.org/HTTP_Streaming
this is how google talk does it. And there are ready php or c++ solutions
It was quie a discovery for me!
This is an update to reflect the significant change in the OP's question:
Google Chat and Facebook both use XMPP(jabber) servers, as do most companies I know of that have internal instant messaging.
The nice part about XMPP is that you get all of the "is typing" and other presence-based information without having to roll-your-own in javascript (bear in mind, you will still need to use javascript to pass XMPP requests back to the server, but XMPP has most of the features you'd need already built in).
Check out OpenFire. It's a great XMPP server, totally open source, and they have a web-based version of their Spark client that is pretty nice.
Or you could get a PHP library for XMPP (there are a few). But you'd still need to have the XMPP server running in the background for PHP to work with.
Here's a list of XMPP libraries for PHP from XMPP.org:
Eiffel
JAXL
Lightr
Missus
xmpphp
Or, if you want to keep things mostly browser-side, they also have a list of libraries for javascript:
dojox.xmpp
js.io
JSJaC
strophe.js
xmpp4gwt
xmpp4js
I made a small chat application a while ago, and the only way to do it is to frequently check for new entries in the chat database and fetch anything newer than the last displayed message. At the same time as all that, you can check to see if the user's input is empty. If it is, do nothing. If it isn't, enter a status code into the database beside that user's name. If anyone has that status in the database when you're fetching information about new messages and who is online, you should display the 'user is typing' message. I hope that makes sense...let me know if it isn't.
For User1: If you save the chat message on each key-press to the database, with a status: sent=false and update the last updated date.
For User2: you could pole periodically for the presence of a message where sent=false and use the last updated to update user is typing message. if the lastupdated date is more than a say ten seconds you could remove the message as that person may have stopped typing. This will allow User2 to see User1 typing, stopping and continueing again.
Ideally polling for this information will be part of an existing call to the database to reduce additional overhead.