In my asp.net mvc application I need to allow only one click, or rather calculation triggered by the button click only once per IP. E.g : Each user can vote only once. Is it possible to do this with C#? Where is a right place to start please ? Let me know if I need to rephrase the question.Thanks!
There are numerous ways to do this, that I have done with my app.
First IP address is a good way, though not 100% as many people can share a single IP address and also people can restart their connections and get a new IP address. So storing voters IP addresses in the database is a good start.
Second you can use cookies. That again isn't a 100% secure approach as people can delete them. However you can use this in conjuction with IP address.
Third if you have a Facebook app, this is where you can get the best security. You just check the Facebook UserId. You can do this if you make your voters login with Facebook as well, even if your app isnt a custom Facebook app on a page tab.
So for coding sakes you need a database to store these values and check against when viewing. However in a high traffic site it lends itself to being very DB heavy, so some caching is also a good start (if you are on shared grid/webfarm hosting make sure your cache is not inprocess)
Yes, Totally agreed with Joel Coehoom.
I would suggest to use MAC address in this case.
For help about this try these following links:
PhysicalAddress
Get MAC address of client machine using C#
Related
I have an asp.net website (not mvc) and i need to ban a person if he tried to enter the admin page and failed a couple of times. How could i achieve that programatically and efficiently?
I know that i can ban someone's ip but he could use a proxy server or a vpn.
Just for your info :
I would like to store my banned ips in a sql-server database.I know how to do it.
Edit:
Also if I ban an account the banned person could just make a new account so neither ip bans or account bans are good solutions.So correct me if I am wrong but neither account bans or ip bans would work.
You may add Windows Events to work to you.
Using the right script in Powershell you can check Windows Event Logs to get the wrong authentications and ban them through the Firewall rules. This kind of procedure works better when using MS-SQL, since SQL create its own "bad login" events.
I mean:
1- check event log to see if there are some status codes to indicate "wrong login" - it can be done via a Schedule, (for instance on every 5 minutes) calling a Powershell script to check the correct LOG files.
2- if there are some events, copy the IP and set it into Firewall rules (IN and OUT). For instance, put the detected IP in a BLOCK rule, at any TCP port.
3- I recommend log these IP's in a text file to see, at the final of some time (day, week) which IP's were banned. Clean them for a time basis (eg. one time per month).
So I have ga.js code tracking orders in my web application. These are then picked up in the Conversions-->Tracking-->Transactions section in Google Analytics. The thing is I'm getting average 80-90% of my orders showing up in GA. I've read up online that it is normal that a small percentage of orders wont show up in GA. Is this a correct assumption to make?
Yes it is correct because many users block monitoring sites like that one.
The information is given by javascript call, that is also mean that users with javascript disabled, or get javascript error on page, also fail to send that info to google.
The block can be done either using antivirus/anti malware programs, ether direct by add some site names on the host file of the system and changing the IP to localhost so they fail to run. Its an easy trick if you try to avoid some sites that monitor you.
If you wondering if there is a way to always give that infos regarding if the user blocks it, yes there is, you send that informations on code behind direct on google server, but its a little complicate.
And one tip - better keep that infos for your only.
In brief, we have a website built in asp.net c# that we're adding a login area to for people to see some paid for content. There will be different levels of account, one which when logged in can download say 10 documents a day, another that can download 20 etc....
What the client has also now asked for is can they sell unlimited access to this facility to a customer, where that customer will only be able to get this unlimited access when using some specific computers.
Really don't know if there is an elegant solution to this? I'm thinking MAC addresses must be the key, but as far as I know the c# code doesn't have direct access to that? Have read that JavaSript will be too unreliable in it's getting of the MAC adddress...and that writing a Java applet may be the only way.
Does anyone else have a better suggestion than this?
Any help would be greatly appreciated.
You are looking for the idea of Device Fingerprinting. Since this is a web application, you need the sub-field of Device Fingerprinting known as Browser Fingerprinting.
It is pretty easy to get browser fingerprinting right 80% of the time, and quite hard to get it right 100% of the time.
Have a look at Panopticlick (from the EFF) to get an idea of how it works.
There are several commercial software providers that provide solid Browser Fingerprinting as a service.
Although the general case is not easy, your specific case may be easier. For example, if you sell access to a company that is large enough to route all traffic through one or a few well-known IP addresses, you could just use that IP to authenticate users.
Alternatively, or specifically if you need to allow only certain computers within a facility, you could create a browser plugin that checks hardware (like the MAC address) and makes that information available to your authentication code.
Getting this kind of code right (in that it shows neither false positives nor false negatives, and is tolerant to changes in hardware such as a NIC upgrade) is very hard. It may be worthwhile to use a commercial browser fingerprinting company.
Is there a way that you can rely on static IP addresses? I know that, depending on the site these can change, but so can network cards (though this is less common).
Another question: Do you wish to restrict to individual machines, or simply make sure that only "N" licenses on that address are used? If this is the case, you can keep track of N license records on your side, with a corresponding cookie on the machine (perhaps a concatenation / hash of the IP address and license key signed with your private key) which expires after a week or what-have-you.
You have your own database / list of IP address, license key, and expiration date, and so if a computer logs on with an invalid cookie (IP address doesn't match what its license is associated with in your DB, to prevent copying cookies across), if a license is available in your DB (due to one pairing expired / never being used), give them the new license (and the benefit of a doubt). If it isn't available, give a polite "no more licenses are available, here's our sales number" message. This means that the IP address in your database is more of a reference thing, but it will also slow down "computer hopping", as these records will not expire until "a week or what-have-you" has passed. If a computer logs on with a "Valid IP" (in your DB) but no cookie / invalid cookie, re-issue that cookie with the same license as before with a new expiration date. Maybe. Maybe the same expiration date.
If IP addresses change slowly at the customer's site, this should work. If they change more than once per computer per timeframe, this could pose problems.
The initial distribution of these licenses could be "first come, first serve", and rely on a network address range and logins.
There are sexier answers already provided. Would good old/boring digital certificates suffice?
I have a school project with a friend of mine and we are developing a software product (in C#) that reads a value from a hardware sensor through serial com (from arduino). Depending on that value we want to be able to blacklist certain ips and domains and re-route them to a htmlfile that informs the user that that webpage has been blocked.
What methods are there? The only thing we come to think about so far is just use simple filehandling and edit the .hosts file, but thats not flexiable at all really. Is there maybe an api for the windows firewall or something like that can be used?
Thanks in advance
Controlling the windows filewall can easily be done through COM: http://www.shafqatahmed.com/2008/01/controlling-win.html
However that isnt going to get you to redirect to a certain page.
If you want to redirect to a page you would have to intercept all traffic. I assume HTTP. So you can either put an application that listens on port 80 and redirects, or use sockets.
More information sniffing packets can be found here: http://www.techpowerup.com/forums/showthread.php?t=61792
well I need to do 2 applications, one to users registers theirself (where the server is) and the another application is for the administrador can see who has register, but he doesn't have time to go (where the server is) so he need watch the information since other place, I haven't could do it, my another idea is using web services, but i dont know how to public the web service in internet for consum it since anothers pc's, then for application 2, how will be the connection string? i thoung with ip, but in what is your ip address i watched the ip is dinamic, and it change with turn on the computer (where is the server), then, how can i do it? (i coulnd't to have a connection with ip, and i couldn't with name of computer)
[heavily edited - hope I maintained the spirit] I want to use a web service, but I don't have a great way to connect to it. I thought about using the IP address, but the IP address is dynamic
If you have servers that must remain available, they must be registered in some form of hostname lookup service, such as DNS. Most people do this by maintaining a corporate intranet, using a hosting service to serve their database/application, or using a dynamic DNS service such as DynDNS.
[heavily edited...] I need two applications, one for users to register themselves, and the other for the administrator to see who has registered, without going to the server...
If this information is just for humans to read:
You could simply create a shared source of this information, such as an internal Wiki, or an Excel document on a Windows network share, or Microsoft Sharepoint site, and let users write new entries to it. The admin would simply read that document to find out the information. This is much more light-weight, and could be reused for many other purposes.
There is a lot of existing free wiki/CMS software you could install and use for this purpose.
If you need this to be accessible by other programs, rather than just human readers:
You'll have to make some sort of database, and possibly a web service to access it. Unfortunately, you'll need a lot more information for anyone to give you a good answer for these needs. Any answer will make a lot of assumptions, and might put you in a bad spot in terms of scalability, performance, security, or reliability.
Some basic questions to get you started (certainly not a complete list) - How many users? Where will they be located with respect to your servers (both this application you are writing, and the servers that the application seems to provide information about)? How safe must the information be? How much data? But even with this data, it is hard to recommend any sort of application design or network topology without knowing all of your requirements.
If you need this to be reliable and secure (e.g. you're supporting more than just yourself and a couple users), you'll probably need to turn this into a serious project, and devote business research, design, development, and IT resources to it. These resources can all be one person, but you should really go through all the motions if you don't want it to be an unmaintainable, insecure mess.