如何让用户从只有一台机器登录(收购CPU串行)到ASP.NET-MVC Web应用程序 [英] How to enable user log in from the only one machine(by acquiring CPU Serial) to the ASP.NET-MVC web application
问题描述
方案:
我的网络部署的ASP.NET MVC 5应用程序与个人用户帐户:身份2.x的每个用户都有一个电子邮件和密码登录,通过浏览器的Web应用程序,这意味着用户可以通过与网络浏览器的任何设备登录。
I have web deployed ASP.NET-MVC 5 application with individual user accounts: Identity 2.x. Every user has an e-mail and password to log in the web application via browser, this means that user can log via any device with internet browser.
我想,让他使用完全相同的PC级的机器,他每次在登录的时间条件的用户记录。
I would like to enable user logging on condition that he uses exactly the same PC class machine every time he logs in.
我可以礼貌地询问用户是否需要运行的任何桌面.NET文件(.exe)应用程序。我也可以要求用户使用Chrome浏览器,如果插件要实现这一点。从字面上看,我可以假设任何事情。该解决方案可能是非常不舒服,这很好。
I can politely ask user to run any desktop .NET(.exe) application if necessary. I can also ask user to use Chrome browser if the plugin is necessary to achieve this. Literally I can assume anything. The solution might be very uncomfortable, it's fine.
我半的解决方案:
-
通过桌面获取CPU序列号(姑且称之为Authorizer.exe)应用程序,它会发送这个唯一的ID到ASP.NET-MVC Web应用程序,同时登录到它的用户使用某台PC授权。 Authorizer.exe将检测登录到Web应用程序通过嗅探数据包经过的网络。 加 检测用户的位置,这限制了他的移动他的电脑。
Obtain CPU serial number via desktop(let's call it Authorizer.exe) application which will send this unique ID to the ASP.NET-MVC Web Application while logging into it to authorize that user uses certain PC. Authorizer.exe would detect logging into Web Application by sniffing packets going through network. PLUS Detect user's location, which restrains him from moving his computer.
创建桌面应用程序,它可以一次只从Web应用程序提供独一无二的序列被激活。登录到ASP.NET MVC,将有可能仅当台式机应用程序是公开。(我不知道如何做到这一点)。
Create desktop app which can be activated once only with unique serial provided from the web application. Login to the ASP.NET-MVC would be possible only if this desktop app is openned.(I have no idea how to do it).
为什么我问这个问题:
如果别人窃取用户的电子邮件和密码,我不想让小偷能够登录的,但最重要的是我是我不想让用户登录从不同的设备。
If somebody steals user's e-mail and passwords I don't want to let the thief being able to login but the most important to me is that I don't want let user to log in from different devices.
推荐答案
这是我能想到的唯一的解决办法是发行客户端证书,并在应用中使用证书认证。
The only solution that I can think of is to issue client certificates, and use certificate authentication in your application.
要管理需要实现一个PKI,这就需要证书:
To manage certificates you need to implement a PKI, which requires:
- 获取证书颁发机构,颁发证书需要(也可以是公共CA,也可以使用自签名证书)
- 在颁发证书的Web服务器,使用CA
- 配置您的应用程序通过HTTPS工作,并要求证书认证
- 在颁发证书的用户,并在他们的浏览器安装它们
的薄弱环节是最后一个。你必须支付attentiton你如何安装,以及如何颁发证书。
The weak link is the last. You must pay attentiton to how you install, and how you issue the certificate.
要安装在浏览器中的证书。您可以:
To install the certificate in the browser. You can:
- 创建一个证书文件,也可以用来在浏览器中导入证书
- 使用一个PKI基础结构(证书服务器),它允许一个证书来访问一个页与一个浏览器请求,并要求使用相同的浏览器安装在证书中它,一旦它的发出(即它的请求被接受) 。
注:在这两种情况下,你必须接受请求,并颁发证书或拒绝。证书不是自动发出的
第一个选项有一个问题:如果你发送证书到您的用户,他就可以将其安装在任何一台机器,任意次数。为了解决这个问题,你需要获得您的用户的机器上,复制文件,安装它,并将其删除。第二个选项解决了这个问题。
The first option has a problem: if you send the certificate to your user he'll be able to install it in any machine, any number of times. To solve this problem you'd need to get access to your user's machine, copy the file, install it, and delete it. The second option solves this problem.
第二个选择是更安全的。但具有良好的知识的用户仍然可以恢复由服务器在这个过程中发出的文件,并在不同的地方安装证书。
The second option is safer. But a user with good knowledge can still recover the file issued by the server in this process, and install the certificate in a different place.
考虑还有很重要的一点是,当你颁发证书通常存在一个选项,允许使其私钥可导出。如果设置了此选项,用户可以从安装它的浏览器输出的PK,并安装到其他地方。显然,要避免这种情况。因此,禁用此选项。
Another very important point to take into account is that, when you issue a certificate there is generally an option that allows to make its private key exportable. If you set this option, the user can export the PK from the browser where it is installed, and install it somewhere else. Obviously you want to avoid this. So, disable this option.
通过该选项,用户仍可以导出证书,但是如果没有它的私钥,因此它不能被其他地方安装。
With this option, the user can still export the certificate, but without its private key, so it can't be installed somewhere else.
我不给上如何设置的PKI的其他详细信息,因为它在很大程度上取决于基础设施(OS和版本)。如果您想了解更多有关证书和PKI的维基百科为X.509作品对于PKI 和维基百科条目。然后,你可以看看其他信息在特定的基础设施(OS)设置一个PKI。
I don't give additional details on how to setup the PKI, because it depends largely on the infrastructure (OS and version). If you want to know more about certificates and PKI the wikipedia entry for "X.509" and wikipedia entry for PKI. Then you can look for additional information on setting a PKI in your particular infrastructure (OS).
您可以放心这个系统是真正安全的。比如,在我的国家,你可以找出自己通过这种方式,使很多官方的东西,比如申报和缴纳税款
You can rest assure this system is really safe: for example, in my country you can identify yourself by this means to make a lot of "official" things, like declaring and paying taxes.
和,如果你想知道,如果你要拒绝访问已经拥有证书的用户会发生什么。答案是,只要你想,你可以吊销证书,以便服务器将不允许用户和他的证书来验证,因为它的撤销。
And, if you're wondering what happens if you want to reject access to a user that already has a certificate. The answer is that you can revoke a certificate whenever you want, so that the server won't allow your user to authenticate with his certificate, because it's revoked.
这可以让你担心的另一件事是,其他用户需要在同一台机器并记录你的应用程序。这是很难thanit看起来像这样的原因:
And another thing that can worry you is that other user takes the same machine and logs to your application. It's harder thanit looks like for this reasons:
- 证书时您登录到自己机器安装它的同一用户仅适用
- 在安装证书时,可以使OS时某人想要使用的证书要求输入密码
- 您可以让您的应用程序有双重授权:
- 第一,证书授权(这是,事实上,由IIS本身处理)
- 第二,要求一个用户名和密码(或使用该证书的用户名,并要求相关用户额外的密码)
- the certificate is only available when you log to he machine with the same user that installed it
- when installing the certificate you can make the OS to request a password when someones wants to use the certificate
- you can make your app to have double authorization:
- first, the certificate authorization (this is, in fact, handled by IIS itself)
- second, ask for a username and password (or use the certificate's user name, and ask for an additional password associated to the user)
我已经看到了很多的建议使用识别用户的机器的魔道anwsers的,没有他了解和接受它,并且,或可以通过某个用户操作被打破。这些解决方案是不稳定的,甚至可以是不合法的。此外,没有任何解释的解决方案是可靠的或容易实现,但最让我会这样你在我回答的结尾。但在此之前,请允许我解释一下我为什么preFER证书的解决方案。
I've seen a lot of anwsers that propose using a "magic way" of identifying the user's machine, without him knowing and accepting it, and, or that can be broken by some user actions. Those solutions are unstable, and can even be not legal. Besides, none of the explained solutions is reliable or easy to implement, but the one that I'll so you at the end of my answer. But before this, allow me to explain why I prefer the certificates solution.
安装颁发的证书是一些东西,是不是从用户隐藏,除非用户删除故意的证书不能被打破。用户可被告知他需要证书来访问应用程序,所以你没有作弊,也使得魔术,以确定他的机器。这是一个干净的,支持的,并形成文件的解决方案。除了证书不能caracked或砍死(在严格意义上,一切都可以被破解或黑客攻击,但这是太难以破解)。除此之外,在同一证书可由所有浏览器被共享,因为它没有安装在浏览器中,但在机器的证书存储。所以,即使用户将打开不同的浏览器应用程序,该证书将仍然存在。而且它很容易检查的问题来验证它是一个缺少证书(或一些相关的话)。
Installing an issued certificate is something which isn't hidden from the user, and that can't be broken unless the user deletes the certificate on purpose. The user can be informed that he needs the certificate to access the application, so you're neither cheating, nor making "magic" to identify his machine. It's a clean, supported, and documented solution. Besides a certificate cannot be caracked or hacked (in an strict sense, everything can be cracked or hacked, but this is way too hard to crack). Apart from this, the same certificate can be shared by all browsers, because it's not installed in the browser, but in the machine's certificate store. So, even if the user opens the application with a different browser, the certificate will still be there. And it's very easy to check if the problem to authenticate it's a missing certificate(or something related to it).
不过,如果你仍preFER实现,可以识别用户的计算机没有他批准它的解决方案,或者没有解释它是如何工作的,你可以使用supercookies。如果谷歌thister你会发现在很多地方,这种利用闪存存储。甚至闪存+ HTML5存储。或者,它可以使用,甚至很多其他地方来存储所需要的信息。但是,你会看到这个技术是令人难以接受的。而且可以对抗低,让你陷入困境。但是,这么说,如果你还愿意做这种脏的事情,你可以使用evercookie。它的JavaScript实现,你可以看到的信息,并从这个链接donwload的code:
However, if you still prefer to implement a solution that can identify your user's machine without him approving it,or without explaining how it works, you can use "supercookies". If you google for thister you'll find in a lot of places that this exploits Flash storage. Or even Flash + HTML5 storage. Or it can use even many other places to store the required information. But you'll see that this techniques are frowned upon. And can be against the low and make you get into trouble. However, that said, if you still want to do this kind of "dirty" thing, you can use evercookie. It's implemented in JavaScript and you can see the information and donwload the code from this link:
免责声明:如果你使用这种邪恶的事情,进入某种麻烦,不要给我惹的祸!我告诉你!
Disclaimer: if you use this evil thing and get into some kind of trouble, don't blame on me! I told you!
这篇关于如何让用户从只有一台机器登录(收购CPU串行)到ASP.NET-MVC Web应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
