Click here to Skip to main content
14,422,431 members
Rate this:
Please Sign up or sign in to vote.
See more:
We allow users to access content on our web site with a username and password. But we would like to restrict the users to just doing this on 1 or 2 computers by allowing them to "register" their device.

What I have tried:

I was thinking something from the old school days of installing an activeX control -- or just anything installed, we could check to see if installed and then allow access to the content.
Posted
Updated 4 days ago

1 solution

Rate this:
Please Sign up or sign in to vote.

Solution 1

I don't think you can achieve this in the way you want to, i.e. have "registered devices".

In order to have a registered device you would need a unique way to identify the device being used. This becomes difficult with a web application because you don't have access to enough of the device's information to get a unique identifier - you may be able to get something that is probably unique enough but, unreliable at best.

So you might think to create a unique cookie that identifies the machine. That cookie is known by your server app (stored in DB) and can be used to authenticate all requests from that machine - simple enough. The problem is that cookies are accessible, modifiable and copy-able... so not a great solution. Not to mention they can easily be lost by the browser and then you have the pain of having to fix the problem for your user.

If you were happy with the risks of either then maybe you can do something. Grab all information you can get from the client machine and try to build a unique id. Something like suggested here.[^] Then use that to identify the machine - just don't expect it to be flawless.

However, my suggestion would be to forget the approach you are taking and instead look at limited the number of concurrent connections. This can easily be done with any type of token based authentication...

Every time a user logs in, you store the new token in your DB as "valid" and you make sure to invalidate all other previous tokens from the list (just delete them).
Then when you get a request to handle, you can check the authentication token and make sure it is a valid one.
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100