Is it possible to restrict PHP page to certain devices?

Question

I've build a PHP web application which I only want my wife and I to have access too. Adding password protection adds an unnecessary user step - is it possible to restrict the page to certain devices (e.g. our iPhones, iPad and MacBook) regardless of wifi / 3G network etc.

I don't think PHP can determine MAC address - so is there a suitable method other than password protection?

Thanks,

Mike

EDIT

Some further info to help clarify:

The server is running on Debian/Linux (The RaspBMC off-shoot of Raspbian to be precise).

I need access from anywhere, home and out and about.

Thanks

Answer 1

Security through obscurity?

Technically, any device could still access the application, although it would take a 'while' to do it, especially if you force a sleep (Guessing a simple combination of 10 digits would have a maximum guess time of 300+ years at a sleep of 1 second, so it's pretty unlikely someone could guess it correctly). For example:

sleep(1); // Deter brute force
if ($_GET['auth'] == 'sdfjksahdkfjshadkjrfhwaoieua3487a3wt897dywydd39d87haw387d8a3hd7a8hd387wahd089afh980a3yfh983ahf398ahsdaf') {
    //run app
} else {
    //throw 404
}

Save the link to the app on the devices you want to access it like so:

http://www.applocation.com/app.php?auth=sdfjksahdkfjshadkjrfhwaoieua3487a3wt897dywydd39d87haw387d8a3hd7a8hd387wahd089afh980a3yfh983ahf398ahsdaf

Lose your phone/tablet/whatever device you have a link to the app on, and security is immediately compromised, but considering you don't want to go down the password route, that would be the case anyway.

This will cover the majority of your security needs. It's not secure, so if accessed it via a dodgey public network which people were snooping on, it's security is compromised. However it depends how secure you need it to be. If you're storing bank details/passwords on a webpage (which is a terrible idea anyway), I personally wouldn't even consider this option; 'just in case'. Although if it's fairly minor stuff that doesn't matter that much, it's absolutely fine. The main idea behind this is just to stop people from accidentally accessing things you don't want them to see.

Besides, if you think that maybe someone has found it out, you can just update the auth string to something different anyway.

Answer 2

There are actually ways to get the user's MAC address, but these can be spoofed anyway.

I would recommend making a cookie, for you and her, and requiring data from it (like a key) as authentication, with it updating every now an then.

Updating it would protect against people that had manged to get a copy of the cookie (somehow...) from using it forever.

It could also be something like sending every request with a 'automated' username/password/auth key, into the post or get variable, to be checked by the server. Also has downfalls, as someone could be sniffing your packets. But at that point, you probably have bigger problems.

Answer 3

What you're trying to achieve is not possible. HTTP isn't designed to provide hardware-specific identifiers, the only "identifier" is the User-Agent which isn't identifying at all, and it can be spoofed, so the browsers don't even access that information. It's not technically possible.