I am working on a MVC3 application that will be hosted on IIS7 with a SQL Server repository.
I need to limit certain actions on the site to a single machine and I am trying to figure out the best way to implement this.
I am using forms based membership with roles for login accounts but because of our client they don’t want the “sign in” machine to require a special login account so I need another way to confirm that you are on the correct machine to perform “sign in” activities. If a staff member is at home and logs into the site we don’t want them accessing certains function from anywhere but the one designated computer.
We also need the capability of letting an admin easily change the “sign in” computer in case of equipment failure.
Machine name, or IP address is really not a horridly secure way to do this — really easy to spoof. You really should be authenticating against an external source, not checking if an easily changable with the right tools magic machine name is the same.
What you might want to look at here is client certificates — AFAIK, they can be installed on a machine (rather than user) level, there is lots of baked in support and you aren’t rolling your own security scheme.