How to grant exclusive access to a web service from just those PCs?

Using PHP/MySQL/javascript: I need a way to grant exclusive access to a web service from just 2 or more PCs sharing the same public IP address, which is dynamically assigned by the ISP; I can setup these PCs as needed, and I must make an outside PC has no access to the web service. The PCs run Windows XP. I can code the web service as needed. I can hack the allowed PCs as needed. The allowed PCs are on the same subnet with local IP 192.168.2.x, and the public IP is the same for every PC in the place, but the problem is that it's dynamically assigned by the ISP. I can impose users of the allowed PCs to use a particular browser set up by me in some way, also in kiosk mode if necessary. The PCs are equipped with Windows XP. It's ok if every PC in the local network has access to the web service, but this is not a requirement: only some PCs "must" have access to the web service, I don't care for the other ones in the network. PCs outside the network must have no access to the web service. I need an idea or suggestions to accomplish this: it has not to be a unhackable bulletproof system, just a quick hack to setup in a few hours or a day, which could give users the feeling they cannot access the web service from no other PC than those provided on that network. A possible solution: writing a small batch file which writes on every boot a special cookie in the browser folder of every allowed PC; server-side, the php script would check the data in the cookie against what I know it should be there, and if congruent allows access. If some of you can think to easier or more reliable solutions I'm here waiting. Thanks
Answer:

Oh, I wasn't aware, but you should also check out the bit on the Allow From page that talks about UserAgent strings. If you can customize their browsers to send a custom user agent (which is possible with extensions on FireFox), you can restrict it to only specific computers within the target LAN. Cool stuff.

lion at Ask.Metafilter.Com Visit the source

Was this solution helpful to you?

Other answers

yerfatma, This article hits the high points: http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html -Get your website working over ssl (meaning get a cert for the server) -Get a cert for the client (buy one or issue it from your own CA) -Make sure the CA that issued the client cert is in the trusted root store on the server. Any cert issued by a trusted authority will be accepted by default -Set the site to require client certificates -If you want to restrict access to only certs issued by a particular authority, configure a CTL: http://support.microsoft.com/kb/313071

mrbugsentry

Why not simply use the authentication capabilities of your web server? If it's apache, you can use .htaccess and .htpasswd files. Search for implementation specifics, but it's fairly easy. The local IP addresses on the user's network aren't going to matter at all, since they're NAT'ed to a single public address. If you don't want to use traditional authentication, you can use http://httpd.apache.org/docs/1.3/mod/mod_access.html directive and specify an IP address or domain name. Since the IP changes every now and then, you'll need to set up an account with http://www.dyndns.org or another similar service. This maps your dynamically-assigned IP to an unchanging domain name. The mapping is traditionally accomplished by a service running on one of the PCs in your network that will always be on.

odinsdream

How about requiring http://www.vanemery.com/Linux/Apache/apache-SSL.html

uandt

Client certificates are the right way to restrict access to a certain PC. I know how to do this on IIS, and http://www.garex.net/apache/ should get you started with the Apache side.

mrbugsentry

Damn. 10 seconds late.

mrbugsentry

mrbugsentry, would you mind posting a quick primer on the IIS version (or just a link)? Thanks.

yerfatma

As I said in the question, I needed a quick hack to accomplish the task, so even if the certificate solution can be explored it requires too much study and work for the actual requirements. The suggestion of the possibility to check the User-Agent and change it on the browsers that will be used on the allowed PCs, filtering with the "Allow From" rule in .htaccess, is a nice quick solution, hackable of course but working good for the limited amount of time I'll need it. With more time, I'll dig into the certificates method. Thank you

lion

Related Q & A:

How to deal with timeout when accessing a web service?Best solution by Stack Overflow
How to call a web service using HttpWebRequest?Best solution by Stack Overflow
How to call .aspx page from a web web service(service.svc?Best solution by Stack Overflow
how to consume a web service in mule flow?Best solution by Stack Overflow
How do I forward gmail raw email to a web service?Best solution by email.about.com

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.