开发者

Recognise user without using IP

开发者 https://www.devze.com 2023-04-03 18:43 出处:网络
I need to gran开发者_Python百科t access to user with or without credentials. I have tried the SERVER[remote_addr] but it didn\'t work due to dynamic IP used in the company.

I need to gran开发者_Python百科t access to user with or without credentials.

I have tried the SERVER[remote_addr] but it didn't work due to dynamic IP used in the company.

Any suggestions?


Three easy steps:

  1. Make a static page (unrelated to your application, say it's at http://company.com/boss) that redirects to your application using some special URL parameters (e.g. have it redirect the browser to http://company.com/application/index.php?super_secret=IAMTHEBOSS).
  2. Have your application recognize the super_secret=IAMTHEBOSS variable and allow access without credentials.
  3. If someone obtains unauthorized access to the application (e.g. by simply hitting the http://company.com/boss URL), explain to your boss that they should fire themselves instead of you because this massive security hole was left open at their insistence.


There's no good solution for this other than using credentials, or perhaps, try manually "injecting" a cookie to your boss's browser, but that would probably be difficult.


Explain to your boss that this is not possible without creating a major security hole.


You could use a cookie on your bosse's machine but this would expire at some point so credentials would need to be put in again when that happened. If you have no way of locking down who is accessing your application it is a massive security risk to not use credentials. Doing this by IP address is not secure either as IP addresses can be easily spoofed.

0

精彩评论

暂无评论...
验证码 换一张
取 消