限制用户访问 ASP.NET 网站的计算机数量?

发布于 2024-07-18 02:20:49 字数 511 浏览 5 评论 0原文

我正在构建一个 ASP.NET 应用程序。 其中一项要求是限制用户可以访问网站内容的不同计算机的数量(例如 5 台计算机)。 它不一定是完美的,如果没有 IT 知识的普通用户将无法省略检查 - 解决方案将是 K。

我正在考虑一种获取用户计算机指纹的方法(对于例如:MAC 和计算机名称的组合)。 当然,用户会被告知检查他们的 MAC。 然而,这很难做到,因为 HTTP 协议是无状态的。 一种解决方案是使用 ActiveX。 但它仅限于 Windows 系统,并且很容易通过安全检查(只需禁用 ActiveX,据我所知默认情况下是禁用的)。

正如我在 google 上搜索的那样,这是一个很常见的问题,但除了使用 ActiveX 之外没有其他解决方案。 有没有人遇到过这样的问题,并找到了一些好的解决方案?

用户可以位于不同的网络中。 它将是一个外联网应用程序,因此检查 IP 将不起作用(路由器和动态 IP)。

编辑:我想通过这样做来实现的是避免购买会员资格,然后将帐户数据分享给你所有的朋友。

I'm building an ASP.NET application. One of the reqiurments is to limit number of different computers from which users can access the content of the site (for example 5 computers). It doesn't have to be perfect, if a normal user, with no IT knowledge will not be able to ommit the checking - the solution will be K.

I'm thinking about a way to get a fingeprint of the user machine (for example: a combination of MAC and compuetr name). Of course, users will be informed about checking their MAC.
Howevew, it is hard to do, because HTTP protocol is stateless. One solution is to use ActiveX. But it's limited only to Windows systems, and it's to easy to pass the security checking (by just disabling ActiveX, which as far as I know is disabled by default).

As I googled, it's a quite common question, but there are no solutions other then using ActiveX. Had any one had this kind of problem, and found some good solution?

Users can be in different networks. It will be an extranet application, so checking IP will not work (routers, and dynamic IP's).

EDIT: What I want to achive by doing this is to avoid buying membership, and then share the account data to all your friends.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(8

爱的十字路口 2024-07-25 02:20:50

使用(跟踪)cookie? 即使这是基于每个浏览器而不是基于每个机器,并且当然要求用户启用持久性 cookie,但这可能就足够了吗? 检查 cookie 是否存在并且不应过期,如果存在则一切正常 - 如果不存在,则添加它并在您的后端跟踪此信息...

屏蔽通过 IP、网络或任何其他网络的访问 -相关标准虽然有其自身的问题,例如大多数用户没有固定 IP,或者如果有的话,则通过 NAT 的恐怖与许多其他用户共享它,最有可能由发布防火墙而不是发布防火墙来完成应用程序本身。

通过一个简单的网站从某人的计算机上获取指纹或任何识别信息几乎是不可能的(人们希望如此),而是需要用户安装本地应用程序或插件。

编辑:新添加的有关原因的信息清楚地表明,任何此类解决方案都会很烦人,并且开发和维护成本会很高。 完全规避这一限制的答案似乎是最好的。

Use (tracking) cookies? Even though this would be on a per-browser basis and not per-machine basis and of course require the user to have persistent cookies enabled, it might be good enough? Check if the cookie exists and shouldn't have expired, if it does it's all fine and dandy - if not, add it and keep track of this in your back-end...

Shielding access by IP, network or any other network-related criteria, while having its own problems of course like most users not having a fixed IP or if so, is sharing it with many other users through the horrors of NAT, should most likely be done by the publishing firewall(s) and not the application itself.

Getting a fingerprint or any identifying stuff off of someone's computer by a simple web site should be mostly impossible (one hopes) and instead require the installation of a local application or plugin by the user.

Edit: The newly added information about the reason makes it rather clear that any such solution will be annoying and cost extra to develop and maintain. The answer about circumventing the need for this restriction at all seems best.

溇涏 2024-07-25 02:20:50

如果限制在某个时间范围内就足够了——也就是说,用户在一天、一周或一个月内只能使用五台不同的计算机,那么您可以随时检查 IP 地址。 每次用户尝试访问您的站点时,您都​​可以使用以下算法来查看是否应该允许访问:

1) 检查该用户帐户之前使用过哪些 IP 地址。 唯一 IP 是否少于 5 个? 是的=> 3. 否 => 2.

2) 已存储五个或更多IP。 其中至少有一个至少已存在一天/一周/一个月吗? 是的=> 3. 否 => 4.

3) 没关系 - 存储的 IP 少于 5 个,或者至少有一个太旧。 删除任何太旧的内容,存储新的内容并进行身份验证。 => 5.

4) 不行 - 您的数据库中已经有五个或更多 IP,而且它们都还没有过期。 不进行身份验证。 => 5

5) 结束

If limiting within a certain timeframe is good enough - that is, the user can only use five different computers in a day, a week or a month, you could always check for ip adresses. Every time a user tries to access your site, you could have the following algorithm to see if you should allow access:

1) Check what IP adresses have previously been used with this user account. Is there less than 5 unique IP's? Yes => 3. No => 2.

2) Five or more IP's are already stored. Are at least one of them at least one day/week/month old? Yes => 3. No => 4.

3) It's OK - less than five IP's are stored, or at least one is too old. Delete any that are too old, store the new one and authenticate. => 5.

4) It's not OK - five or more IP's are already in your database, and none of them has expired yet. Do not authenticate. => 5

5) End

不即不离 2024-07-25 02:20:50

这是用于许可场景吗? 如果是这样,这就是自互联网出现以来我听说过的最愚蠢的许可证之一。

这种许可证过去在桌面应用程序上下文中有意义,但在基于 Web 的应用程序中毫无意义。 您的应用程序可能是这些用户使用的唯一具有这种行为方式的应用程序。 这对你来说看起来不太好。

Is this for a licensing scenario? If so, it's one of the silliest licenses I've heard of since the Internet came out.

It's the kind of license that used to make sense in the context of desktop applications, but makes no sense in a web-based application. Your application will likely be the only one these users use that behaves this way. That won't look good for you.

娇女薄笑 2024-07-25 02:20:50

除非我们谈论的是限制都在同一 LAN 上的用户,否则为什么你不能只跟踪用户的 IP 地址,如果他们来自不在其“列表”上的 IP 地址,那么你可以将他们拒绝而不是认证?

Unless we are talking about limiting users who are all on the same LAN, why could you not just track the IP addresses of users and if they come from an ip address that is not on their "list" then you can turn them away and not authenticate?

青衫负雪 2024-07-25 02:20:50
  • 使用具有 MAC 过滤/IP 过滤功能的防火墙
  • 应用程序中的 IP 白名单
  • 会员提供商中“登录”用户的阈值

这种情况是怎样的,是面向公众的网站还是要在私有网站上内部托管的网站局域网

  • Use a firewall with MAC Filtering/IP Filtering
  • An IP Whitelist in the Application
  • A threshold of "Logged In" users in the Membership Provider

Whats the scenario, is it a public facing web site or something that you're gonna host internally on a Private LAN

风情万种。 2024-07-25 02:20:50

只有5台特定的计算机吗? 或者同时运行的计算机不超过 5 台? 这不是一个完美的解决方案,但您可以分别在会话开始/结束时增加/减少计数器。

编辑:好的,在这种情况下,我可能会采用基于 cookie 的方法(同样不完美)。 当 PC 连接时,会在客户端计算机上存放一个 cookie,并记录该 cookie 已在服务器上发出。 当 #6 尝试连接时,阻止 cookie 并拒绝连接。

Is it only 5 specific computers? Or no more than 5 simultaneous computers? It's not a perfect solution, but you can increment/decrement a counter on session start/end respectively.

EDIT: Ok in that case I would probably go for a cookie based approach (again not perfect). When a PC connects deposit a cookie on the client computer, and record that one's been issued on the server. When #6 attempts to connect, block the cookie and deny the connection.

郁金香雨 2024-07-25 02:20:50

我认为您应该考虑使用 WCF Web 服务和经过授权的自定义 WinForms/WPF 客户端。

I think you should consider using of WCF web service and custom WinForms/WPF client with authorization.

流云如水 2024-07-25 02:20:49

根据您的评论

此要求的意义是避免用户在应用程序中注册、支付会员费用以及将帐户凭据提供给其他人。

要么你选择昂贵且高度安全的 RSA 硬件验证器

-或者 -

你改变您的业​​务模式,并使共享凭证变得没有吸引力。 例如,由于成本 - 我不分享我的苹果或亚马逊信用,因为我不想为他们的购买付费。 另一个是拥有一个用户社区。 没有人分享他们的 flickr 帐户,因为这些照片在艺术上是他们的,他们不希望任何人为了几美元而乱搞他们的东西。 不鼓励共享,因为它是一个社区,而不仅仅是一个存储库。

但这些都不会阻止用户共享,但我确信这种情况发生的次数要少得多。

否则,您将自己限制在(尝试)被动监控滥用的机制中。 太多并发下载、太多并发访问等。如果您的用户违反了您协议的条款和条件,那么您将暂停他们的帐户。 但你必须有非常明显的违规者,因为很容易出错。 如果可以的话,这是一种应该避免的模式,因为你总是会追赶,并且总是有人会欺骗你。

如果需要购买 RSA 设备才能访问网站,没有人会注册该网站。 这不是一个可行的消费者解决方案。


(原答案)
我认为您想要查看的是使用客户端证书身份验证。 本质上,您的用户在他们的计算机上安装个人客户端证书,以便当他们连接到您的服务器时,您的服务器可以验证该计算机。

我不会告诉你这很容易,因为它看起来并不容易。 您可能需要设置自己的证书服务器并快速搜索它,但这些都不是很好。

也许,根据操作系统的不同,其中有一项功能可以让您创建特定于计算机的证书或无法导出的证书。

此类事情通常用于服务器之间的安全连接,而不是通常用于客户端所需的内容。 这将是帮助台的噩梦。

wiki 传输层安全 或 windowssecurity.com 对 IIS 6.0 网站使用客户端证书身份验证 或 msdn 构建安全的 ASP.NET 应用程序:身份验证、授权和安全通信

您还可以使用 RSA 硬件验证器

Based on your comment

The sense of this requirement is to avoid users from registering in the application, paying for the membership and than giving the credentials of account to other people.

Either you go expensive and highly secure like RSA hardware authenticators

-or-

You change your business model and make it unattractive to share credentials. e.g. due to cost - I don't share my apple or amazon creds because I don't feel like paying for their purchases. Another is having a user community. Nobody shares their flickr account because those photos are artistically theirs, and they don't want anyone mucking with their stuff for the sake of a few dollars. Sharing is dissuaded because it's a community, not just a repository.

But none of these things prevent users from sharing, but I'm sure it happens a lot less.

You otherwise restrict yourself to mechanisms that (attempt) to passively monitor abuse. Too many concurrent downloads, too many concurrent accesses, etc. If your user violate the t's and c's of your agreement then you suspend their account. But you would have to have very obvious offenders, because it's very easy to get this wrong. It's a model to be avoided if you can because you're always going to play catchup and there's always going to be someone who rips you off.

Nobody will sign up to a website if they need to buy an RSA device to access it. It's not a viable consumer solution.


(Original answer)
I think what you want to look at is using Client Certificate Authentication. Essentially your user installs a personal client certificate on their machine so that when they connect to your server, your server can verify that computer.

I'm not going to tell you it's easy, because it doesn't look like it. You may need to set up your own certificate server and quickly googling it, none of it is pretty.

Maybe, OS depending, there's a feature in there that you can create a certificate that is machine-specific, or one that can't be exported.

This sort of thing is usually for secure connections between between servers, and not typically for what you want on the client side. This is going to be a helpdesk nightmare.

wiki Transport Layer Security or windowssecurity.com Using Client Certificate Authentication with IIS 6.0 Web Sites or msdn Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

You could also go the route of using RSA hardware authenticators

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文