6

I have a website and I want it to be accessible only by authorized clients/browsers (ex. with a certficate).

The idea is that the users can only access the webpage in their office's computers (situated in different geographical areas, and they're different companies, so I cannot check IP or install something manually).

I was thinking in some installable private key certificate or something like that.

What choices do I have?

EDIT:

I'm using PHP

user1532587
  • 169
  • 1
  • 3
  • 2
    This is a bit unclear , Are you looking for a way to restrict access to your website to only certain networks ? or certain browsers? – Arun Apr 18 '14 at 13:37
  • 1
    to certain browsers – user1532587 Apr 18 '14 at 14:02
  • 1
    I think your question is confusing people who think by "certain browsers" you mean "IE 8 but not Opera" when in fact you mean, "this installed piece of software". You could create a custom browser distro, but that has a whole set of maintenance headaches. Also you are faced with the problem of the user just copying the cert/ install/ whatever and running it at home anyway. What is your extreme use case that would justify such an extreme diversion from using a login? – Digital Chris Apr 18 '14 at 14:30
  • I'm sorry but I think it is clear. There are some entities like banks that ask you to download and install a certificate in your browser in order to start using the home banking application. I need to do the same thing, in order to allow some computers/browsers to be authorized – user1532587 Apr 18 '14 at 14:33
  • 1
    Certificates authorise a user and not a browser. Once you give a certificate, there is nothing to stop the user from exporting the certificate & importing it to the browser on any machine he wants. – user93353 Apr 18 '14 at 15:33
  • 2
    I'm gonna ask the obvious question: why not just give authorized users usernames and passwords? – KnightOfNi Apr 19 '14 at 03:05
  • If there is nothing to stop a user from exporting a cert, than there is nothing to stop a user from giving a password either. GUYS! This is a simple question, easy to understand. – Konrad Gajewski Mar 28 '20 at 06:38

8 Answers8

4

There's a very interesting use case in this other answer, using client-side certificates:

Why would the BBC web site always ask for a personal certificate, and how do I avoid giving it away?

Another quick-and-dirty option might be implementing a VPN and shifting the domain of the problem from PHP to system administration. This might prove useful if, in the future, you need to give access not only to a website, but also to other resources such as shared folders, etc.

Community
  • 1
lorenzog
  • 1,911
  • 11
  • 18
3

thats long story, can't comment so leave as link here Using SSL Client Certificates with PHP

also you may take look at apache SSLRequire Directive may a bit sorter story

also PHP OpenSSL module php.net/openssl

plenty of stuff around that question

MolbOrg
  • 139
  • 4
2

On the server, it's easy to check the headers of each HTTP request (the User-Agent header, in your case) and redirect to a landing page that explains why the browser can't be used, and which browsers are supported.

You'll need to install a form of authentication to validate requests originating from unauthorized clients. Installing an X.509 certificate on each client might be an option in some cases, but sure sounds like a maintenance problem. You'll probably be better off by providing sign in functionality, for which various solutions exist.

Steven Volckaert
  • 1,193
  • 8
  • 15
  • And then how can I check the certificate in the server? – user1532587 Apr 18 '14 at 14:04
  • What's your requirement on _how_ to do that? Must the client certificate be installed through the website? Besides, if you're _in_ the office, you can easily setup access control using _Active Directory_ or another [directory service](http://en.wikipedia.org/wiki/Directory_service). – Steven Volckaert Apr 18 '14 at 14:10
  • It would be better through the website since I'll have users in different geographical areas. – user1532587 Apr 18 '14 at 14:12
  • Note that HTTP headers are trivial to forge, and in fact some browsers provide tools or plugins to help you do this (ie, `User-Agent` won't tell the truth). – Clockwork-Muse Apr 19 '14 at 03:14
2

Limiting access for the web browser (user-agent) is something that is very easy to manipulate using a tool like Tamper data. You can change the header to make it look like the request is coming from any browser you want. If you want to make sure they can only access the website from the office (if this is one location) you could restrict access based on IP address. Other than that I think you will have to use some sort of scenario where you install certificates on the client to confirm who they are.

BadSkillz
  • 4,404
  • 24
  • 29
1

You could setup SSL and create your own certificate. I believe there is an option to create something like client approved certificates. That means that you need to install the client part of the certificate on the client (the browser). If the client doesn't have this installed, it won't work.

To be honest - this is something that I read about last week, and before that I didn't know it existed. Right now I can't find it back, and it could be called something else.

SPRBRN
  • 7,379
  • 6
  • 33
  • 37
1

You are looking for symteric key encryption here. Both keys must be kept secret. This can be done on the application level of your system.

Here is a sample algorithm:

  1. Generate a key for each user to be authenticated.
  2. give the key(s) to user(s) (use Diffie-Hellman)
  3. Calculate sent_challenge = encrypt(k1,challenge) and add it to your a queue with some identifier for each client
  4. send it to client the browser should calculate challenge back by recv_challenge = decrypt(k1,sent_challenge)
  5. now compare sent_challenge ?= recv_challenge

note: k1 here is they key for the connecting client

AK_
  • 667
  • 4
  • 14
  • Not necessarily. You might have something like this: **1**. The server sends out a random text. **2**. The browser encrypts the text with a key **3**. The browser sends the encrypted text to the server **4**. The server verifies the browser and allows further access. – Konrad Gajewski Mar 28 '20 at 06:50
1

Create an "sign up" page which sets a cookie to a random GUID. On other pages, check the cookie value. The authentication process is now simply a matter of adding "good" GUIDs to a authorization database.

The exact details are easily tailored. For instance, you can let users enter their affiliation, and manually check this before adding the GUID to the database. Or you just pass them the GUID by email, and the signup page simply sets the entered GUID as the cookie value.

The benefit is that the manual process can now be done from a single PC, instead of having to visit each PC.

MSalters
  • 2,699
  • 1
  • 15
  • 16
-1

Php can determine what is browsers is running and other system detail by running a bit of code.

Try to identify the MAC address of each computer by php, so only known computers can gain access.

tommyip
  • 95
  • 4