Results 1 to 6 of 6
  1. #1
    Join Date
    Dec 2004
    Location
    Beirut
    Posts
    596

    Website from executable only ?

    Hey,
    Thought some of you might have done this or tested this or have a best advice,
    Whats on my mind is , there is a website portion url that is password protected.
    However i want to load this per user per 1 computer only and shouldnt the same access work on any other pc.
    My idea was like creating an exe which loads the webpage portion, and since i can control the exe to load on a serial number based on a hardware fingerprint.
    the problem is still a user can see where the page is loading from one or another way and then use his login from other pc.
    One way or another am stuck on many ideas.

    What is the best solution in your opinion to give a site access to only one user on the authorized pc Only !
    Ideas ?
    POINTLeb Hosting Lebanese Hosting for the Middle East
    The fact that no one understands you , does not make you an artist
    Mo Ghaoui's Personal Blog

  2. #2
    Join Date
    Mar 2004
    Location
    USA
    Posts
    4,345
    You could.

    You can create a page which only allows access by password you send it (the program will send it).

    Of course if someone knows the URL and the password they would be able to access it via the browser, but how can they know?

    Peace,
    Testing 1.. Testing 1..2.. Testing 1..2..3...

  3. #3
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,103
    If I understand this correctly, your application is EXE running on user system. From that application you call some URL which can be accessed from that system only.

    As you have exe running on that system you can use hardware information to do identify it (MAC address seems like a safe way to do it). After you gather hardware info also include some counter in it and encode it in some way so that it is not obvious what that info contains. This counter could be string of predefined number. For example, md5 sum of multiples of number 21. So first time it will be md5sum(21) , second time md5sum(21 x 21 ) and so on.

    Send this string in your request URL. The string will be different every time. When web portion of your application receives it the first time, extract hardware info and counter value. Allow further access only if hardware info matches and if counter value is next one expected.

  4. #4
    Join Date
    Dec 2004
    Location
    Beirut
    Posts
    596
    i couldnt figure what u meant azizny, if the program sends the pass then the user logs in where ?
    sasha, well this is almost what i did so far, the exe fingerprints hardware ids so it can only run on that pc. But whats bothering me, is the ability to sniff the url, then again using that url with the login on many pcs.
    So now what u suggested as a string sent everytime to match the web, seems a good idea too, this way even if the URL is known it will still deny access without the string attached !
    Thanks for the info, however i still hope there would be an easier way for maintaining one login per pc, especially if i had to drop the exe later.
    POINTLeb Hosting Lebanese Hosting for the Middle East
    The fact that no one understands you , does not make you an artist
    Mo Ghaoui's Personal Blog

  5. #5
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,103
    I did some thinking and the easiest way is this:
    Your exe connects to the server directly (no browser involved), sends hardware info to server, gets some kind of session identifier, and launches browser with that session identifier in the url. When server receives that request, it creates actual session with browser and your user is logged in. The server removes that session identifier so that new browser session cannot be established using the same url. In order to do this you will need something that can not be easy reverse engineered running on client. I do not see how you could do it with no exe involved.

  6. #6
    Join Date
    Dec 2004
    Location
    Beirut
    Posts
    596
    sasha, sounds convincing.
    So here is what i conclude.
    The exe to launch the url will fingerprint hardware and will need a generated serial for the user to be ran (one time only) for the user ( that is already done )
    Now my problem was in the part when it connects to the website and that it could be sniffed and then the user/pass over website are used from anywhere.
    With ur suggestion, i will include the same fingerprint and generated key into the request from the exe ( since the exe can also verify its running from that machine too.
    And since users are manually verified, when we generate the key for the exe user, we will also manually enter it into the website database.
    That identifier will be unique for each user and exists for verification on both end user part and website part.
    I think i now have the solution, i just wished it could have been easier.
    Thanks for the suggestions
    POINTLeb Hosting Lebanese Hosting for the Middle East
    The fact that no one understands you , does not make you an artist
    Mo Ghaoui's Personal Blog

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •