Hi Chaps, I have a PHP Application, hosted on IIS 7 Server. The Application needs to be secure for a customer (based in Germany). The problem I face is that the only security I have used is cookies. The customer, however does not want to use cookies, due to the difficulty of managing these cookies at their end. Their solution would be to use some sort of IP Address based security, where only access from certain IP Addresses would be permitted. The problem I see with this is that the customer has numerous different 'sites' across Germany, which would have their own servers and therefore different IP Addresses and in some cases, no server at all. So my questions are: 1. Is IP Address security a viable option? 2. Would the customer's request be a valid concern? 3. What would be the best practice of implementing the request? Many thanks
You dont need a server to use ip address authentication. Just get each user to goto something like www.whatismyip.com and get their internet facing IP address. As long as its static, you will only have to do this once for each user. Failing IP authentication, you have numerous other options. You could setup a VPN, or use SSL with client side certificates... or just user server side SSL and password authentication, and store the login data in a session rather than a cookie (sessions still set a client side cookie though to track the session)