You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Anurag Kapur <an...@gmail.com> on 2011/07/27 01:36:52 UTC
[users@httpd] Detecting and limiting access to a mobile device using a 3G network
Hi,
I am looking for ways of detecting a specific mobile device (example: my
iPhone and not my friends) accessing a resource on my publicly accessible
Apache web server so that I can restrict access to certain devices only.
Just like there are ways of detecting the user agent and IP address of the
device where the request originates from and restricting access accordingly,
is there a way to do something similar for an iPhone for example, connected
to 3G network (not wifi)?
Any pointers towards this would be highly appreciated.
Regards
Anurag
Re: [users@httpd] Detecting and limiting access to a mobile device
using a 3G network
Posted by Jeroen Geilman <je...@adaptr.nl>.
On 2011-07-27 01:36, Anurag Kapur wrote:
> Hi,
>
> I am looking for ways of detecting a specific mobile device (example:
> my iPhone and not my friends) accessing a resource on
> my publicly accessible Apache web server so that I can restrict access
> to certain devices only.
That's easy - it's called "authentication".
Set up HTTP authentication on whatever resources you want to protect,
and don't give your friends the password.
>
> Just like there are ways of detecting the user agent and IP address of
> the device where the request originates from and restricting access
> accordingly, is there a way to do something similar for an iPhone for
> example, connected to 3G network (not wifi)?
>
> Any pointers towards this would be highly appreciated.
>
> Regards
> Anurag
--
J.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Detecting and limiting access to a mobile device
using a 3G network
Posted by Mark Montague <ma...@catseye.org>.
On July 26, 2011 19:36 , Anurag Kapur <an...@gmail.com> wrote:
> I am looking for ways of detecting a specific mobile device (example:
> my iPhone and not my friends) accessing a resource on
> my publicly accessible Apache web server so that I can restrict access
> to certain devices only.
>
> Just like there are ways of detecting the user agent and IP address of
> the device where the request originates from and restricting access
> accordingly, is there a way to do something similar for an iPhone for
> example, connected to 3G network (not wifi)?
The type of network doesn't make a difference, unless you're basing
device identification on a device's MAC address on a local area
network. Even then, MAC addresses can be spoofed.
I'm not aware of anything intrinsic to the iPhone -- or any other client
-- that uniquely identifies the device. And even if there was
something, you would not be able to rely on it since malicious
clients/devices (e.g., your friends') could simply lie about it. This
is (in part) why you can't rely on user agent or IP address to identify
devices.
The standard solution in this sort of situation is for you to set up
your web server to require end user authentication. You would then
visit the web page using your device, and enter your username and
password. Your web server could then set a cookie in your device's web
browser that would be sent on every request that your device makes to
your web server, and you would not be have to authenticate again until
the cookie expired.
Another solution is to use SSL client certificates. This gets around
the need for usernames, passwords, and cookies, but it requires you to
use HTTPS for restricted content (which is a good thing to do, even if
you're not using SSL client certificates). Configure Apache HTTP Server
to require client certificates for restricted content, generate a
certificate, and load the certificate onto your iPhone. Your web server
will then be able to uniquely identify your iPhone and differentiate it
from all other devices. If the private key for your certificate is
somehow stolen (which is unlikely unless you leave it lying around), you
can revoke the old certificate, generate a new private key, and obtain a
new certificate.
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org