如何在Web(PHP)应用程序中唯一标识客户端
We've been developing a web application (PHP, using the Yii PHP framework) that is going to be used for data entry. The clients will be users from both the LAN and WAN (many of the remote clients will be behind a proxy, reaching our network using one IP address with NAT). What we basically want is to guarantee the validity of data in the way that no malicious user alters it.
Is there a way to programmatically identify each client in a unique way, so that I can guarantee (at least at some good percent) that no malicious remote user will connect? We were thinking of gathering the MAC addresses of all remote users and using a (non-web) client that generates a hash string that the user will input in the web application and then proceed if this authentication scheme passes. As I said, using other non-web applications for the remote client is an option.
Is such a solution as the one I describe above viable? Should we see other solutions, like maybe a VPN?
我们一直在开发一个将用于的Web应用程序(PHP,使用Yii PHP框架) 数据输入。 客户端将是来自LAN和WAN的用户(许多远程客户端将位于代理之后,使用一个带NAT的IP地址到达我们的网络)。 我们基本上想要的是以没有恶意用户改变数据的方式保证数据的有效性。 p>
有没有办法以独特的方式以编程方式识别每个客户端,以便我可以 保证(至少在一些好的百分比)没有恶意的远程用户会连接? 我们正在考虑收集所有远程用户的MAC地址,并使用(非Web)客户端生成用户将在Web应用程序中输入的哈希字符串,然后在此身份验证方案通过时继续。 正如我所说,使用其他非Web应用程序作为远程客户端是一种选择。 p>
这样的解决方案是否与我上面描述的解决方案可行? 我们应该看到其他解决方案,例如VPN吗? p> div>
A VPN is a typical solution to the problem of locking out everyone except those you've explicitly given access --- basically you're rejecting all connections to the site that aren't authenticated in your local network or vpn. That way you dont have to write any funky logic for your actual web application.
I think this is an ideal solution because it allows the application to be maintainable in the future when other developers step in... furthermore it will require less of your developers and will ultimately keep costs down.
Normal user authentication is generally OK, but if you have higher security needs you can provide clients X.509 certificates to install in their browser. VPN is of course an option but you just move authentication problem from website to network vpn.
What you are looking for are the SSH-Key pairs: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
There are much more ressources on this, the theory in brief: Each client creates a pair of unique keys, a private and public one. The public goes onto your server, the private stays with him. Then the client uses the key to authenticate. The server calculates a valid public key from it and checks if you have such a key in your system. If a pair is found - authentication was successful. (I never used this so far for Web authentification)
Additionally you could use OTP (One Time Password) technology. Since it is normally bound on per-account basis it will be very secure: https://github.com/lelag/otphp