I’m upping my security on my website, because some of my users were
questioning the security, but all I can say is no one can view your
password (dual hashed using SHA-512 and then md5), but they reply, but what if they get into my account they
can change my password and play around with my account.
So I’m going to up my security kind of like Steam’s security where you can’t login to a
new computer without them sending you a random key. I’m trying to think of a way to do it, so I’ve got it so it will store a little array in my database that will have all the computers that the user has logged in to with.
But I need some data so that my script can check it but I’m not quite sure what data, I was thinking of the IP address but you can’t get it without an external source e.g whats my ip and other sites like that. I need some data that doesn’t change with the same browser/computer.
So question is, I need some data that is unique to the browser he/she is using but it does change if he/she is on a different computer or browser.
It is possible to implement some security in your web application on IP level. As a matter a fact, for example, in the company I am working it’s possible to log in with “Administrator” account only from the devices connected in company network – a given range of IP address.
If you want to implement this technique for each user, you will meet a lot of issues because your users can be behind some proxy server, that is changing their IP address on each log in or on given interval of time.
They are different types of proxies and you can detect when the user is using some of them, and then retrieve the real IP address of the user – check this HTTP headers:HTTP_X_FORWARDED_FOR, HTTP_VIA AND REMOTE_ADDR EXPLAINED and more specific this X-Forwarded-For one.
Any way, they are a lot of techniques to hide you IP address like proxy servers and applications like HideMyAss that makes the whole thing pretty easy.
Anyway, even your users send to you a specific set of email address that you will store in your database and check if the users are connected to your application using them, the same possibility for abuse, using your account (as the passwords) is faced again. The IP addresses will be just an other field in your database table. So, if anyone can change the passwords, he might be able to add an other new IP to the IP list that your are checking.
I think that the best think to do, is to implement such IP security only for your administrator account. Then, you and your clients will be calm that no one can join with it and change their passwords.