Printable View
I am running a torrent tracker and would like to make my users accounts safer...so i would like to make an account acessible from only 1 pc and i'd like to make this using the MAC address or CPU-ID...could it be done using PHP or any other language that could be implemented in a website? If so which is the language and how could i do this?
Scince your dealing with a web site for authintication - no - MAC address isnt one of the SERVER VARIABLES available to you. Maybe make the MAC address a part of the login. Show them how to obtain the MAC and use it to authinticate. But if they write it down and take it to another pc this idea wont work. (hoping no one can remember a MAC address)..
the thing is that the user isn't supposed to enter the mac....i have to get the mac in order to check it when somebody starts their torrent client so i can compare it to the one in the database....so i have to do this automatically....would an activex component solve my problem? if yes...how do i build it...maybe a few outlines or smth to start from....
You're not going to get the MAC address of the remote machine from the packets themselves. The packets will show the MAC address of the last router the packet passed through.
You could do it with some script or something I'm sure... But I have never used torrents so I don't know how they work.
it;s basic php...if it can be done in php it can be done to a torrent...so...is it do-able in php?
here is an idea - durring account creation - take the unix time of the new account - store it and a MD5 version of the unix time into the regiser database. create a cookie on the client with the MD5 key. Now - there is now way that the hacker can hack this because he dont know the exact unix time of creation.
upon future logins - query the MD5 from the cookie and unix time from database and see if match - if not - hacking has happened. Ill have to think on this one more....sounds fool proof.
and what if the user hits "clear cookies" button...sounds like he won't be able to login anymore
i posted more on my blog - <a href="http://2advent.com:81/ViewComments.php?blogid=131">http://2advent.com:81/ViewComments.php?blogid=131</a>
i think i'll have to say it once again...what if the user reinstalls windows or deletes cookies....wouldn't he be unable to login from that point?
In the case of cookies being cleared, there could be a 2nd factor authentication process on the web server, say, having a button saying "Request new cookie", then asking for your first pet's and mother's maiden name.
Just my 2p's worth
Sean
the fact is that i think we could get the MAC address through an activex control built in visual basic...i'll have to study more about this..but the other nastty thing is that i need to compare the mac with the one of the current computer without them accessing the website...to prevent .torrent files being stolen from users computers, because when you download from a torrent tracker using the torrent client it goes through announce.php and this is where i'll have to check the mac..but the thing is that announce.php is called from the torrent client and not the browser, fact that makes this a lot trickier...
good idea but a LOT of people block activeX content nowadays, so you wouldn't get a MAC address back if that were the case.
Honestly, I think you might be taking the wrong approach here...A good authentication system will require a user to provide two things:
Something you know, and something you have...
Authentication by using MAC addresses is a weak practice at best. This is simply because the MAC is easily spoofable. In addition, just like Tiger Shark pointed out, MAC addresses are not routeable over a WAN, your going to have to provide some form of 'wrapper' to make sure that information gets to the server.
I don't know the specifics about your setup, or how secure you plan on making your service, but I think something more along the lines of Public Key Infrastructure is what your looking for.
I'm sure you'll be able to find perl or PHP implementations of it if you google.
the thing is that if you spoof your mac you can't get on the site you have to have the right mac in order to do that..so you first have to find the mac of the person that has the account