how to restrict a user to access website on single machine in asp.net

StackOverflow https://stackoverflow.com/questions/19272582

Question

I have developed a e-com website in asp.net, it has a admin panel which is manage by site admin. As i have got the requirement from client, admin panel should be access only in his office system, can anybody help me on this, how can i restrict that for single machine. As per my knowledge i can restrict by internet Protocol address but client doesn't have static internet Protocol and can't validate by mac address because its workable only for IE. so, please suggest how can we achieve that.

Was it helpful?

Solution

You could use a certificate for this, however I honestly would advise that tying access to the admin section of a functioning business to a single specific device is a bad idea in general.

(The following is advice only based on real personal experience, and therefore somewhat subjective, but my philosophy is to never help a client shoot themselves in the foot, no matter how much they want to pay me to do it.)

If any of the following scenarios occur, your client will not be able to administer his site without getting you to help:

  • His computer explodes.
  • His office is broken into and his computer stolen.
  • There is a power outage in his office.
  • He is ill and needs to work from home.
  • Flood / Volcano / Zombie apocalypse.
  • Client goes on holidays and wants to make a change to the site from beside the pool using a device that for whatever reason does not support the certificate in question or that he didn't think to ask you to install the certificate on.
  • etc.

Murphy's law suggests that any or all of the above will occur at the exact time that you are not available/really don't want to have to deal with it/busy working for another client

If your client really wants secure access to the admin section of the site, you can't go wrong with having a specific Admin login section over HTTPS. No-one can reasonably steal his login credentials "over the wire" this way...If the client is worried that someone might somehow steal his username+password, via key logger,over the shoulder, etc, then it's up to him to not access the site from a computer that's insecure (internet cafe, etc).

And if he insists that it must only be accessible from that specific machine then he has to decide if he wants to have his cake or eat it - either get a static IP address or not!

OTHER TIPS

if possible Create a small windows application and install it in the Office machine

the windows application should create a dynamic link to the URL of the web site plus a query

string Contains the Current IP Address of the machine

(e.g) URL ="http://www.yourdomain.com?ip="+Stringvariable containing client current ip

Second Step ....

in your web application check for the Request.IPAddress compare it to the query string address 

String ipAddress =
        System.Web.HttpContext.Current.Request.UserHostAddress;

if(ipAddress==ipAddressFromQueryString)
// Continue Processing
else
// UnAuthorized Accesss

Note: You should Encrypt your query string in your windows app and decrypt it in your web application

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top