How to get client MAC address by a access on a website? - client-side

I have my website, and it records the number of visitors, IP and time of access...
I want to identify each visitor... I think that this was possible recording IP Address... but when the IP is dynamic, my system fails. So I think that I can solve it recording MAC address... is possible? What language should use? PHP, ASP, Javascript?
Thanks
Edit: What I can use to identify each user without having login information (username & pwd).

The MAC address, by TCP/IP standards, is never communicated outside of the local-area network to which it pertains — routers beyond that LAN don't even get the information you're trying to record.
There are many other ways to try and identify unique visitors, including matching the user-agent's details in addition to the IP, serving cookies as part of your response, etc… it is, after all, a core functionality in the field of "web analytics".
MAC addresses are simply not part of the gamut of techniques that it makes sense to utilize for it!

It is only possible if you use a technique where you install a "native" app on the client machine. For example, an activeX component, java applet or a client application. Then that application, once installed can get the MAC and then call to your web server with the MAC as an argument. In other words, you have to build your own front end "browser" to handle logging in. Then once the user is logged in, you can launch the app in the default browser.
It would be nice if future browsers allowed users to give permission to specific sites to access the MAC. Then if a site had a button that said "Register this device" the web application could do so without needing an additional native app installed (after all, the browser IS a native app).

Can't you just have them store a cookie, so that when they come back they can be uniquely identified? No username/password requirement.
http://en.wikipedia.org/wiki/HTTP_cookie

Sorry but sending MAC address isn't part of the HTTP. However, you can use cookie to identify different users. Any backend language will do (add cookie in the server side). You can set the cookie in the client side using JavaScript too.

Related

Simple Security setup on WebApi

Im currently in the process of exposing our internal CRM system to the web so our employees can use it outside out network. The data is being surfaced to our web application via asp.net WebAPI.
We have SSL setup on the website. But am thinking how else I can make sure the WebAPI is secure from malicious use. My ideas are:
Tracking what IP addresses are accessing the WebAPI and only allow addresses that we have validated are from employees. Problem with this having dynamic IP addresses we might be constantly updating a data store of valid IP addresses.
The user has to login to the system. So every request to the webapi will send across their login details which will be validated before the webapi will process any request.
Pass the device ID of the device using the webAPI and validate (pretty much the same as IP Address tracking in idea 1)
Having a unique clientside generated access token which much match up at the server side.
Has anybody got any advice on my security ideas I outlined? Is it to little or is it overkill?
Just want to make sure the data cannot be hacked, because my butt would be on the line if it did.
Thanks in advance
I would actually choose a totally different solution - updating valid dynamic IP's will be hell.
I would:
Create a new Project using the "Intranet Application" instead of using "Internet Application"
Host the application on your local office network
Set up VPN to your Office for your colleagues
Would this solution be possible for you?

Smart Card Authentication with ASP.NET

What are the steps required to get smart-cards authentication working in ASP.net?
Smart-card reader is installed and works properly on the client's machine
user navigates to Login.aspx page and is prompted to swipe his access card
how do i authenticate the user
thanks.
The only way that I know to access a hardware device on a client machine through ASP.Net is by writing an ActiveX control. Doing this will render the site useless to anyone not running Internet Explorer. Based on my experience, you can say that IE is your standard, but there will be people attempting to use other browsers. And that's fine as long as you have the support of your App Admin team to say, "Sorry, use IE or don't use it at all".
Assuming you already know how to access the Smart Card reader's API, and you can successfully read and decode that data, your next step is Authenticating that data.
Again, you haven't given me any information here, so I'll assume that you have a database, against which you will need to validate the data you got from the smart card.
If the above returns true then it's simply a case of calling FormsAuthentication.RedirectFromLoginPage, or if you want a more granular control of the Authentication Cookie, then you can create your own FormsAuthenticationTicket
If this is a plug and play device and your clients are part of an AD domain then by simply enabling windows authentication allows you to enable smart card authentication without needing to resort to custom ActiveX controls and browser plugins.
A couple of pointers in that direction:
IIS supports client certificates
IIS Forum thread: Configuring IIS 7.5 to read certificates from a smart card

Standard way to statically sign a web page

Suppose I have a valid (i.e. signed by one of the commonly trusted authorities) cryptographic certificate on my server. I could obviously use it to establish https sessions and deliver the contents with confidentiality (only the endpoints can read them), authentication (both endpoints know who they're talking to) and reliability (the message can't be tampered).
Now suppose that I actually don't care about the first two but, instead, I just the need the last one. For example, let's say I have a static resource that I would like to sign (a-la PGP) so that I can give it to other untrusted hosts: if my certificate is public and the resource has been signed with it, any client should be able to verify that the resource has not been tampered (e.g. by the untrusted host).
The question now is: is there a standard way to statically sign a web page? (I obviously mean something builtin in all browsers) I'm aware of someone (Unhosted) who's trying to accomplish something like this by implementing much of the logic via Javascript but still I'm wondering if a more standard way exists.
I'm not aware of any such standard implementation builtin in a browser.
Even in the mail area where such behavior is "standard" for long time (S/MIME), we find issues every other day with different clients, relays and servers.
For a download you may revert to sending a PKCS#7 container and associate a tool that unpacks and verifies. At least plugins and helper applications are availabel everywhere.
I'm also not aware of any standard implementation like that within a browser. But, to back up a bit... some things to consider:
For executable content (like downloaded EXE files, ActiveX controls, Windows Installer, etc.), a common / standard solution is Microsoft Authenticode. See http://www.tech-pro.net/code-signing-for-developers.html. Similar solutions for Java, Adobe, etc. The CA you buy the cert from will verify your identity. When you sign an EXE file with a cert from a trusted CA, Internet Explorer will display the signer information / less scary warning message. Same goes for UAC elevation prompts in Windows Vista/7. You're probably familiar with this?
But for the static content situation, the standard solution is SSL. May I ask why SSL isn't an acceptable solution in your application?
The problem I see is that there's no way for the user to verify the identity of the web page from the web browser, other than clicking the SSL "lock" icon in the browser to view the certificate. The new SSL EV certificates should verify that you control the domain in question, and that you are who you say you are (i.e. not be able to get a "PayPal" certificate for www.paypal.com.hacker.cz).
It sounds from your question that you're looking for an "Authenticode for web pages" sort of thing: a certificate with a subject not tied to a domain name and where the web page could go anywhere. Unfortunately, I'm not aware of any such thing for standard HTML files. I believe you can sign things like Adobe AIR applications, which can be based on HTML / Javascript / etc., although I'm not familiar with that platform. It does place the web page outside of the user's normal web browser, of course.

Find Out if ASP.NET Request Came From Local Machine

I've built an ASP.NET application that's using Forms Authentication. In our hosting account control panel, I set up an automated task that requests a web page once per week. When the page loads, a number of emails are sent out.
I'd just like to know if there's any way to determine in the code-behind if the request is coming from the local machine (as with Windows authentication). Using a separate web.config file in the page sub-directory with Windows authentication mode doesn't work.
The application will work fine either way. I'm requiring that a specific Guid value be present in the query string, so it's very unlikely that the task will be executed by mistake. I'd just like to learn something new while I'm working on this, and I'd like to see if I can add this little bit of extra verification.
Thanks very much for any advice.
Request.IsLocal
The IsLocal property returns true if
the IP address of the request
originator is 127.0.0.1 or if the IP
address of the request is the same as
the server's IP address.
Request.Url.IsLoopback

Can IE/ASP.NET read the LAN ID of a user

We are doing the analysis phase of a call centre system. To get round a potential tricky authentication problem, we might need to read the LAN ID of the agent and use that as their user id in the system.
Is it possible to read the LAN ID from ASP.NET, or even from Javascript?
If you switch on Integrated Windows authentication for the website (and switch off anonymous access) then the user will be authenticated by their domain account whenever they access the website. You can retrieve their username in code using
Page.User.Identity.Name
I have done this successfully in several intranet applications in the past.
I'm not sure what a LAN ID is exactly. I'll just assume you mean a MAC address?
If so, I don't believe it's possible to obtain that via ASP.NET without an ActiveX control or something being installed on the client side.
And of course, MAC addresses can be changed (new network card, etc.) and be spoofed, so that may or may not be potentially problematic in your situation.
You can get the caller's Lan IP form the Request.http://msdn.microsoft.com/en-us/library/system.web.httprequest.userhostaddress.aspx

Resources