Authentication via IP, rather than password

adrianbj
2005-10-21
2013-05-28
  • adrianbj
    adrianbj
    2005-10-21

    Hi Matthias,

    I have had a request to make the PDFs in our database available to all on campus IPs (or via VPN connections), rather than requiring the user to log in. It seems that extra step is a little too much effort :-)

    Anyway, I was just about to start a hack to make this happen, but thought I'd ask to see if you'd had any thoughts on this already.

    I was thinking of incorporating something like this:

    $accept = array ("XXX", "XXX");
    $remote = explode(".", $REMOTE_ADDR);
    $match = 1;
    for($i = 0; $i < sizeof($accept); $i++) {
    if($remote[$i] != $accept[$i]) {
    $match = 0;
    }
    }
    if($match) {
    [code for displaying link to PDF or other file type]
    }

    Would really appreciate any thoughts you have. I will also post something when I have figured out exactly how best to make it work.

    Cheers,
    Adrian

     
    • Adrian,

      I think you're farther than we are. I must admit that I haven't wasted any thought on IP approval ;-) but I see that this is a valid and useful feature request.

      Your code example looks reasonable to me. I fear I can't contribute anything more wise, maybe others can...

      Please share with us whatever you come up with.

      Thanks, Matthias

       
    • I also haven't thought of it too much (if I was given this request, I'd just setup Apache to handle restrictions on the files directory...and what you propose certainly looks like it will work well for your purposes).

      You might want to convert the ip array to an int (for aaa.bbb.ccc.ddd, this would be  16777216*aaa+65536*bbb+256*ccc+ddd).  This would allow you to restrict by ranges other than whole subnets (some departments or groups may share a subnet, for example).

      Ultimately, I'd also store the list of acceptable IPs in one of the ini files & allow you to make a list that looks like: aaa.bbb.ccc.ddd, eee.fff, ggg.hhh.iii.jjj-kkk.lll.mmm.nnn (allowing you to permit specific IPs, subnets, and ranges.

      --Rick

       
    • adrianbj
      adrianbj
      2005-10-22

      Thank you both very much for your suggestions.

      I thought about the option of using Apache and htaccess, but that would still result in the PDF icon being visible and give an error to unauthorised users.

      Rick, I agree with your idea of converting to an IP number to make it easier for testing ranges. So I have implemented a solution which seems to be working great. For others who are interested, this is what I did:

      1) Firstly, make sure that in your inc.inc.php file you must set your file visibility like this:

      $fileVisibility = "everyone";

      2) Now add this function at the start of your search.php file, somewhere after the start session. This will convert the user's IP address to a number so you can see if it fits within a valid range.

      // Function to convert IP address (xxx.xxx.xxx.xxx) to IP number (0 to 256^4-1)
      function Dot2LongIP ($IPaddr) {
      if ($IPaddr == "")
      {
         return 0;
      } else {
         $ips = split ("\.", "$IPaddr");
         return ($ips[3] + $ips[2] * 256 + $ips[1] * 256 * 256 + $ips[0] * 256 * 256 * 256);
      }
      }

      3) Change:

      if (ereg("\.pdf$", $row["file"])) // if the 'file' field contains a link to a PDF file

      echo "\n\t\t<a href=\&quot;" . $URLprefix . $row["file"] . "\&quot;><img src=\&quot;img/file_PDF.gif\&quot; alt=\&quot;pdf\&quot; title=\&quot;download PDF file\&quot; width=\&quot;17\&quot; height=\&quot;17\&quot; hspace=\&quot;0\&quot; border=\&quot;0\&quot;></a>"; // display a PDF file icon as download link

      else
      echo "\n\t\t<a href=\&quot;" . $URLprefix . $row["file"] . "\&quot;><img src=\&quot;img/file.gif\&quot; alt=\&quot;file\&quot; title=\&quot;download file\&quot; width=\&quot;11\&quot; height=\&quot;15\&quot; hspace=\&quot;0\&quot; border=\&quot;0\&quot;></a>"; // display a generic file icon as download link
                              }
                          }

      TO:

      $ipaddress = getenv(REMOTE_ADDR);
      $ipno = Dot2LongIP($ipaddress);
      if($ipno >= xxxxxxxxxx && $ipno <= xxxxxxxxxx) {

      if (ereg("\.pdf$", $row["file"])) // if the 'file' field contains a link to a PDF file

      echo "\n\t\t<a href=\&quot;" . $URLprefix . $row["file"] . "\&quot;><img src=\&quot;img/file_PDF.gif\&quot; alt=\&quot;pdf\&quot; title=\&quot;download PDF file\&quot; width=\&quot;17\&quot; height=\&quot;17\&quot; hspace=\&quot;0\&quot; border=\&quot;0\&quot;></a>"; // display a PDF file icon as download link

      else
      echo "\n\t\t<a href=\&quot;" . $URLprefix . $row["file"] . "\&quot;><img src=\&quot;img/file.gif\&quot; alt=\&quot;file\&quot; title=\&quot;download file\&quot; width=\&quot;11\&quot; height=\&quot;15\&quot; hspace=\&quot;0\&quot; border=\&quot;0\&quot;></a>"; // display a generic file icon as download link
                              }
                          }
      }

      Step 3 adds the first three lines to check the range of the user's IP address falls within the range xxxxxxxxxx to xxxxxxxxxx and adds one more } at the end.

      That should do the trick. Be aware that when testing this on a local machine, your IP address may appear as 127.0.0.1

      This online IP converter may also come in handy when trying to calculate the range of the $ipno variable:

      http://www.csgnetwork.com/ipaddconv.html

      Hope that helps someone - I know our faculty will certainly find it much easier to access the PDFs now.

      Cheers,
      Adrian

       
      • Fantastic.  Thanks for letting us know how you implemented this!  I think that eventually we may want to make a table list the IP ranges that are permitted.  This should allow for quick lookups/comparison & would also allow a management interface to allow or ban IPs without needing local access to the machine.
        --Rick

         
      • Adrian,

        thanks for sharing with us your solution! I'm sure other users will appreciate it.

        Guess that we should include something like this in the default version so that you don't need to hack every new version... :-)
        And I think Rick is right, that it would be best, if one could simply enter the range of allowed IP addresses in ini.inc.php.

        Regards, Matthias

         
    • Ah, Rick, you mean a MySQL table for allowed IP addresses? Yes, I agree that this would be even better. Then, provide appropriate options in the admin web interface...

      Matthias

       
    • adrianbj
      adrianbj
      2005-10-22

      Thanks both for your followups - it would be great to see a MySQL table for allowed IP's etc make it into the next version.

      Cheers,
      Adrian

       
    • This is really cool! I can't believe I've missed this thread.

      -joachim-

       
    • adrianbj
      adrianbj
      2006-03-28

      Joachim,

      Glad you found it useful. Its been working a treat on our refbase installation.

      It would be great to see IP authentication as an inbuilt option within refbase. I think it would be great to see a bunch of options to control how each feature is protected. I am thinking that a list of each element to be protected, with three protection options: 1) open, 2) password, 3) IP

      The main elements would be:
      PDF access
      Cite
      Export

      We could also include Import & Edit Record, but I really don't think these should be available to anyone but a logged in user.

      I have already hacked the code so that Cite and Export are available to anyone. I actually can't think of a reason why the last these are protected from guests at the moment, but I am sure the developers have a good reason that I am missing.

      -Adrian-

       
    • There is an easier way in the httpd.conf file of apache in your "directory definition" line:

              <Directory "/refbase">
                      Options FollowSymlinks +IncludesNOEXEC +ExecCGI
                      AllowOverride none
                      Order deny,allow
                      deny from all
                      allow from localhost 18.218.0.0/16 18.225.92.0/24
                      Satisfy Any
              </Directory>

      This allows all of 18.218.*.* and all of 18.225.92.* in, blocks everyone else, for everything in that subtree.

      Am I misunderstanding what you want here?

      -Matt

       
    • Knut Krüger
      Knut Krüger
      2007-03-27

      I am using a Web forum which allows IP ranges, but it is written in pearl. But the feature is very helpful.

      It would be very useful to implement a list base ip collection like  this.
      f.e you could easyly give access to all Universities of a country if the hav an equal URL-part

      allow: *.edu     //all US Universities/colleges
      allow: *.ac.at   // al Austria Universities
      allow: oneip.com
      allow: 124.44.567.*

      and maybe a there could be a difference between the access to the RefBase ressources

      allow_read: *.edu     //all US Universities/colleges
      allow_read: *.ac.at   // al Austria Universities
      allow_read: oneip.com
      allow_read: 124.44.567.*

      allow_create: *.edu     //all US Universities/colleges
      allow_create: *.ac.at   // al Austria Universities
      allow_create: oneip.com
      allow_create: 124.44.567.*

      allow_????

      allow_full_access: Home_university.edu

      With Regards Knut

      hope you will not get too much to to features ;-)