Level 102
You can but the user can always fake their user agent.
Sep 15, 2022
16
Level 2
Is it possible to find out in PHP whether request is initiated from which device ?
i was just curious that is it possible to restrict some users to only allow login in our panel from particular devices only .
I was finding some details from $_SERVER and i got this
Array
(
[USER] => instantpay
[HOME] => /Users/instantpay
[HTTP_SEC_FETCH_USER] => ?1
[HTTP_SEC_FETCH_SITE] => same-origin
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_DEST] => document
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_COOKIE] => ci_session=qk33mhf5a33i6b9gqa2p7pb2rdv25gtt
[HTTP_REFERER] => http://matri.localhost/admin/home
[HTTP_CONNECTION] => keep-alive
[HTTP_DNT] => 1
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_ACCEPT_LANGUAGE] => en-GB,en;q=0.5
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
[HTTP_USER_AGENT] => Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
[HTTP_HOST] => matri.localhost
[REDIRECT_STATUS] => 200
[SERVER_NAME] => matri.localhost
[SERVER_PORT] => 80
[SERVER_ADDR] => 127.0.0.1
[REMOTE_PORT] => 57976
[REMOTE_ADDR] => 127.0.0.1
[SERVER_SOFTWARE] => nginx/1.21.4
[GATEWAY_INTERFACE] => CGI/1.1
[REQUEST_SCHEME] => http
[SERVER_PROTOCOL] => HTTP/1.1
[DOCUMENT_ROOT] => /var/www/matrimonial
[DOCUMENT_URI] => /index.php
[REQUEST_URI] => /admin/add-client
[SCRIPT_NAME] => /index.php
[CONTENT_LENGTH] =>
[CONTENT_TYPE] =>
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[SCRIPT_FILENAME] => /var/www/matrimonial/index.php
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1663224155.1239
[REQUEST_TIME] => 1663224155
)
except remote address, is there any way or any other methods by which i would be able to find out whether my request is from which device ?
Or any unique device id kind of thing
Thanks !!
Level 2
@Sinnbeck is it too easy to tamper user agent ?? as my end users are layman so if it is too easy then i have to find out some other alternative
Level 102
@rohansinghrawat If it that big an issue then you should make a native app instead of a browser app. So ask yourself, whats the worst that can happen if they sign in using chrome on linux?
Level 2
@Sinnbeck actually i just want to user restrict from logging in my panel when they are trying from another devices so that they only can accesss our panel from specifc desktops which is i n our offices .
Level 102
@rohansinghrawat Then only allow access using the office IP? But they can still use any computer in the office. So make sure only those specific desktops are allowed to access the internet in the office. Or put them on a different VLAN and run the site on an internal server
Level 2
@Sinnbeck yes i was thinking the same but the office IP changes frequently as I dont have static IP
Level 102
@rohansinghrawat Then host the server in house?
To make it clear. There is no way of knowing the device being used from a browser. That is a security measure.
Another idea. Wrap the website in an electron app and only install it on those computers
Level 2
@Sinnbeck okay will try and thanks for your suggestions
Level 122
if you only want to allow them to login from certain devices then you would need to place a cookie on that device
Only guessing though as you don't explain the business problem
Level 2
@Snapey i just want to allow user login only from my provided devices
Level 122
When a device connects, check if it has your 'authorised_device' cookie
If not, you could ask them something about the device, such as an asset number. If the device is verified, send them an authorised device cookie.
Level 2
@Snapey okay this sounds helpful to me ... so let me implement once and thanks for suggesting me
Level 102
@rohansinghrawat Just remember that I can easily use my personal pc and just give you the device ID of one of the desktop computers if I wanted :)
Level 2
@Sinnbeck as cookie can be exposed right?
Level 102
@rohansinghrawat Lets say I want to use my personal pc for some reason. I open the website and it asks for asset number.
you could ask them something about the device, such as an asset number.
So I walk over to one of those desktop pc's and note down its asset number, and go back to my own pc and type it in. Its a bit like a password system, where the passwords are written on post-its :)
Level 2
@Sinnbeck i was thinking for some solution which is like let user login and during login ask them one code which is unique and only admin will provide him then once user login successfully i generate one cookie for that system and also in my backend i update that unique code so that it cant be used again only admin can access that code ... and this process continues for other users as well .... not the best approach but just thinkking out of box ...
Please or to participate in this conversation.