[macb6497]

Hello,

I'm currently using PHP to authenticate users to their account.

I don't want to use cookies because the users can not only modify the information in there, figure out what methods I use to identify them, but the users who don't allow cookies will not be able to login.

I simply want to use a quick session that gets the client's local IP address, i.e. 192.168 or 10.0, for the most part and the MAC address only if someone knows how to do that.

I don't want to use "$_SERVER['REMOTE_ADDR'];" OR "gethostbyaddr($_SERVER['REMOTE_ADDR']);" for this method.

<?php

session_start();

$_SESSION['IPADDR'] = method to get IP address;

$SESSION['MAC'] = method to get MAC Address' (only if someone knows how to)


session_unset($_SESSION['IPADDR']); //ensures the variables were destroyed
session_unset($_SESSION['MAC']);

session_unset();//ensures the variables were destroyed. This is after the direct specification of the variables because it deletes everything instead of looking for a specific variable, which could cause an error I don't need.

session_destroy();



?>

Thanks,

This post has been edited by Martyr2: 02 December 2010 - 07:41 PM
Reason for edit:: Please use code tags in the future, thanks!

[Martyr2]

1) PHP sessions are either cookie based themselves or you have to propagate the session id in the URL. The session id of a session is typically stored as a cookie or passed along in the URL. So keep that in mind.

2) You can't find the mac address of a user using strictly PHP unless they were on your network and local to them. Even if you could, you probably wouldn't want to because you still want users to be able to login using different computers from time to time. What if they want to access their account from their laptop while they are on the road?

3) IP addresses can be spoofed, sometimes PHP fails to get them even from $_SERVER and if you did want the IP, you get it using $_SERVER since the IP address is run through the web server as part of the user's request. Now theoretically you could use something like javascript but again there is no real point to it.

Just set them up with a username and password and that way they can access their account from any machine as long as they enter the right credentials, if they have cookies disabled they can still use the login/pass and if they have the right user/pass you can safely assume it is the right person.

There are reasons why sites use username/password combos when it comes to accessing accounts on websites. Hope this helps!

[JaKWaC]

* Removed after reading the question again.

This post has been edited by JaKWaC: 03 December 2010 - 08:43 AM