How can i find users mac address

Hi all,

I have a requirement,

i need to check the users mac address and if the mac address is correct
then i have to allow him to lo into website

i used ‘macaddr’ gem but this gives me my server’s mac address.

How can i find the mac address from where the user is accessing the
website?

Please help me.!

Thanks in advance
Rajesh

To the best of my knowledge you cant get this from a web connection.
The information is not shared.

Also a single PC can have more than one MAC address (one per ethernet
connection) plus any device that the PC connects through, such as the
router, will have several.

It is also trivial to change the MAC address on any system and so
cannot be trusted (any more than you can trust anything else)

http://whatismyipaddress.com/change-mac

Thanks peter,

Is there any other way you can suggest.
So that i can allow user to access the website only from one particular
Computer or couple of computers or a LAN?

Well you could always look at the users IP address, this is available
and a little harder to fake.

If the server and the clients are all on the same lan then they should
belong to a private subnet. It would be easy to check that.

If they are from outside (i.e. not a private subnet) you can look at
this environment variable REMOTE_ADDR. A quick look here will show you
what is available in a normal HTTP request (
HTTP ENVIRONMENT VARIABLES ) but this will assume that the
clients have static ip addresses.

Also look for the X-Forwarded-For header if the connection is via a
proxy.

Other than that you could go with an HTTPS connection with custom
certificates, but only if you ARE COMPLETELY MAD!!!

Been there, done that. Never again :frowning:

Thanks Pete :slight_smile:

maybe some addon for browser, to submit macs to server

在 2011-10-24,18:47,“Rajesh B.” [email protected] 写道:

On 2011年10月24日 19:14, Rajesh B. wrote:

Ryan,

You mean shall i use a hidden form to submit the users mac address while
log in

Rajesh,

You have to talk to OS to access MAC, so you may need something like
ActiveX to help you.
and the addon could talk to server with standard HTTP protocol

so before any further, suggest to get back to the solution, try in other
way.

thx

Ryan,

You mean shall i use a hidden form to submit the users mac address while
log in

On Mon, Oct 24, 2011 at 6:13 PM, Rajesh B. [email protected]
wrote:

i need to check the users mac address and if the mac address is correct
then i have to allow him to lo into website

unless all your users are in one lan, you cannot get their mac addr.

if you’re in an intranet and you are the sysad who has full access of
your company’s routers, then it is indirectly possible by accessing
each of your router’s arp table.

kind regards -botp

On 10/24/2011 08:40, Ryan Wong wrote:

and the addon could talk to server with standard HTTP protocol

so before any further, suggest to get back to the solution, try in other
way.

There is a deeper problem here, and that is the fact that you have to
trust the client to be honest about its MAC address. As was pointed out
earlier, the MAC address of a machine is pretty trivial to change, but
if you rely on the client itself to report its MAC address to the
server, the client may report anything at all without even touching the
system.

In a real security situation, you can’t trust the client to be honest
about anything (it could always be hacked and likely will be if the
information it accesses is important enough), so the only thing the
server can count on is information it can confirm for itself.

Rajesh, your requirement to limit the client machines which are able to
access your server is possible but can only be used to help harden
your server. Any method you attempt will be portable to other machines
by someone with the knowledge and access to do so, so you’ll also need
user authentication.

There are a couple options I can think of available to you:

  1. Use SSL client authentication as mentioned previously.
  2. Use VPNs between the clients and the server.

SSL client authentication isn’t frequently used in web applications as
far as I know, so its use is likely to be difficult. You’ll need to
check browser support and find a secure way to generate and distribute
the client keys. Your application stack will also need to somehow be
configured to reject unauthenticated connections.

A VPN may be a better solution. OpenVPN supports client authentication
with SSL, so you still have the client key problem to manage with that.
Other VPN solutions will be fundamentally similar. However, the web
browser can be used as usual once the VPN is up, and your application
can be configured to only listen on the subnet of the VPN, thereby being
completely unavailable to external clients.

There is a third, simpler option. Trust the user and ignore the
machine. Set up authentication in your application and train the
users to only operate from trusted systems. If you want to steer the
users away from untrusted systems, have your application check their IP
addresses against a white list of trusted addresses and refuse them
access as necessary, but don’t count on this as anything more than a
courteous reminder to the legitimate users to use trusted systems.

The advantage of this solution is that it should be much easier to set
up and maintain. Depending on what your application is protecting, it
may be sufficient for your needs.

-Jeremy