I want to block a specific user to access my website. I know it is not possible with Dynamic IP. Is there any other alternate to block the specific user to access website? I'm currently at APACHE LINUX based server.
The user manages web account at my website.
I'm managing a user account on PHP with $_SESSION variables. The user are authenticated using login and password just like any shopping cart website.
Unless the user has to log in, you have no way of knowing who is accessing your site if he's on a dynamic ip address. The only mechanism I can think of is to check any cookie that identifies the user that you've already placed on his system. This wouldn't of course stop them from accessing your site from a different machine.
Long story short - unless the user has to log in first of all, or you have some other means (cookie?) of identifying the user, then not that I know of.
can be achieved by .htaccess
to block a specific ip,
order allow,deny
deny from 127.0.0.1
allow from all
or use this to block a complete range of ip,
deny from 127.0.0
Related
We have an app that let our users use their own domain to access our platform.
For example, if our website domain is "abc.com", we allow our user to use their own domain (for example "external.net") by setting this domain to point to our server.
To achieve it, we need to set their domain each time in our "Google Console"(/Microsoft) so that the authentication (we do have a login of course) will work with their domain as well...
The thing is that we think maybe we could accomplish such a result by just forcing all our users to use our main domain (abc.com) and just after they log in, we will redirect them to their domain.
It will save us the time to add each time their domain to "Google Console"(/Microsoft).
The question is if it's something that we really can do, or google will disallow such auth if which user comes from A domain, and will use B domain with the token he got from A domain.
*If such a thing is not allowed, is it allowed by using my subdomains? like user1.abc.com / user2.abc.com etc... without having to fill those subdomains in the provider console (Google/Microsoft).
I hope the question is clear enough,
Thanks!
A note about verification of your applicaiton.
In order to have this application verified you are going to to Verify your site ownership for every domain listed as a redirect Uri or a JavaScript origin.
So the only way that is going to work is if you can prove you own those domains. By registering them in google search console.
On our intranet, I want to provide a website that certain employees can access. The work they do on the site will be recorded and tagged with their user-name for identification if the need should arise. Of course users have already logged in to their workstation and they have supplied credentials to our Active Directory.
Rather than maintain an additional set of user logins and passwords for the website, and forcing users to enter this second set of credentials, I am wondering if they can just be silently authenticated when they pull up the site? Somehow the webpage would have to find out their Active Directory user name as known on their workstation. (I see no reason it would need their password.) And then, for their work, the website can store their actions tagged with their user name.
So: I'd log in to my workstation as "Mark" in domain "ONU-AD". I'd pull up the webpage "resolveticket.php". That page would not challenge me for credentials, but it can access my username and store that with my various actions.
NOTE: I have seen some questions and answers here that were more specific. But my initial question is general: is there a piece of tech that can help with this? What is it? (for example, should I try to do this with Java?) Many similar questions are about ways to get this information in a server-side script. But I am simply wanting the webpage sitting on the client computer to be able to get the user name and perhaps place it in an input (type="hidden") on a web form.
We develop a web application.
There is a user login and a user area for the customers of a certain company.
And there is an agent/office login and area for some employees of the company who manage user account handling and so on.
The office agent has to login with his username and password.
But additionally, for security reasons, we will limit the agent/office login and area for specific IP addresses (as seen in other applications).
But we would like to have a "fallback" for certain situations where, for example, a web developer of the application needs access to the office area and has not one of the special IP addresses.
Until now we had not many ideas.
We thought of providing access when there is a very special user-agent string with a hash value.
Has anybody implemented such security mechanisms and can inform me about it?
Thanks alot in advance
I applied an htaccess file to the /administrator directory of a joomla website that is supposed to whitelist only my local ip address and my public ip address .
However, it appears that a new user account was created within that joomla account a couple of months after I applied the white list.
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 77.##.##.###
Can someone offer a theory on how this is possible?
Users can be created via front-end, even if you don't have a registration link or form there. Registration might be accessed by going to: index.php?option=com_users&view=registration
You can disable this option in Joomla back-end. To do so go to: System -> Global Configuration -> Users Manager and turn Allow User Registration to NO.
Designing a user content website and the question is for the admin section, from a security point of view, where should it be placed?
same domain and allow admin to enter site like other users from signin form using admin email
Have a separate sub-domain only for admin login
Have a separate secret domain used to access admin features
or any other suggestions?
goal is prevent anyone from knowing about the admin section and to keep it locked as much as possible.
Thanks
Actually I work on a system that uses a separate subdomain, and there's a whole another ASP.NET project dedicated for the Admin section of the parent domain.
This has many advantages for us. Some of them are:
Completly different authentication mechanism for one site and the other.
We can deploy the website without shutting down the admin site and viceversa.
Well, as a basic rule, I'd say it doesn't really matter. Your login form needs to be secure, whether it's exposed or not.
However, I understand the desire to keep the admin area hidden in any case. I personally like this variant the best:
same domain and allow admin to enter site like other users from signin form using admin email
because it doesn't leave any traces on the client computer that are easily detectable (like "admin.example.com" or "example.com/super-secret-admin-area").