First of all,”Uid Web Authentification” is an authentification system used by web applications(but not only) that works like in the scheme below:
In brief,you run a compiled php from your computer that sends the mac adress to mysql,after that,you check from the web interface if the submited mac adress coresponds to the corect one(stored in mysql),and if there is a match betwen them,you are successfully logged to your administration area.
So,how do you do that?Let`s see,first of all,you need a php->exe compiler,I used http://www.bambalam.se/bamcompile/ and it works pretty nice.After you downloaded bamcompile,you need a mysql database,in fact,you only need a table with with the following properties(or something simillar):
After that,we need a web interface,so here we go:
<?
//we need to standardize the time format betwen client and the server.
//because bamcompile compiles only php 4 code, date_time_set function does not work,so we need a function that converts hours and minutes
//into seconds,so we can compare time intervals easily.
function time_in_seconds($string){
$string = explode(':',$string);
$string[0] = $string[0] * 3600;
$string[1] = $string[1] * 60;
$time_in_seconds = $string[0] + $string[1] + $string[2];
$time_in_seconds = (int)$time_in_seconds;
return $time_in_seconds;
}
if(isset($_GET['servertime'])){
print date('h:i:s');
}
//mysql connection
$sql_con = mysql_connect("localhost","root","");
if(!$sql_con){
die('Could not connect: ' . mysql_error());
}
mysql_select_db("test1234", $sql_con);
//this section of the page receives data from the .exe and inserts the data in the table.
if(isset($_GET['insert'])){
$ip = $_SERVER['REMOTE_ADDR'];
$date = date('m.d.y');
$time = $_GET['time'];
$key = $_GET['key'];
$sql = mysql_query("INSERT INTO uid_log (ip , date , time , mac) VALUES
('$ip' , '$date' , '$time', '$key')");
}
//this section verifies if the mac adress submited by the .exe coresponds.
if(isset($_POST['extract'])){
$count = mysql_num_rows(mysql_query("SELECT * FROM uid_log"));//////we load the last entry
$sql_query = mysql_query("SELECT * FROM uid_log where id=$count");//from the table
while($row = mysql_fetch_array($sql_query)){
if($row['mac'] == '00-1D-6A-96-5F-FC' && $row['ip'] == $_SERVER['REMOTE_ADDR'] // we check if the mac adresses and the ips coresponds
&& time_in_seconds($row['time']) + 60 > time_in_seconds(date('h:i:s')) ){//we also need to ensure that a minute has not passed since the data has been submited by the .exe
echo '<center>Welcome!</center><br/>';
}
else{
print '<center>Go away!</center>';
}}}
print '
<center>
<form action="'. $_SERVER["PHP_SELF"] .'" method="post">
<input type="radio" name="extract" style="visibility:hidden" checked="checked" />
<input type="submit" value="Login">
</form>
</center>';
?>
And the code that`s about to be compiled looks like this:
<?
$string = file_get_contents('http://localhost/hid/simple.php?servertime=a');//first of all,we need the complete the time standardization
$pattern = '/[0-9]+:[0-9]+:[0-9]/';//a regex designed to grab the server's time format
preg_match($pattern,$string,$match);
exec("getmac", $output);//and we grab the mac adress
$output = implode(" " , $output);
preg_match_all('/[a-zA-Z-0-9]+-[a-zA-Z-0-9]+-[a-zA-Z-0-9]+-[a-zA-Z-0-9]+-[a-zA-Z-0-9]+-[a-zA-Z-0-9]{2}/',$output,$macmatch);//of course,with some help from regexs
$url = 'http://localhost/hid/simple.php?insert=true&time=' . $match[0] . '&key=' . $macmatch[0][max(array_map("count" , $macmatch)) - 1];
if(max(array_map('count' , $macmatch)) > 1){
print 'you have more than 2 network adapters and I have no idea which one is the right one';
}
else{
file_get_contents($url);//and we send the mac adress
print 'Data submited';
}
?>
In this example,we grabbed the mac adress from the computer,but note that grabbing hardware ids is even more secure,but to do that,you need to work with windows apis,or the dll develloped by soft.tahionic,but working with ole/com in php is some pain in the ass.To compile it,just cd to the dir where bamcompile is located and use the command:
bamcompile name_of_the_script.php name_of_the_executable.exe
For more compiling options,read the readme.txt
And that`s all(I think),if i missed something,please let me know.Also,the authentification system is presented as a concept,there are many things you should consider before using
an authentification system like this(eg:encrypted table entries,sending data via post method and why not,encrypted).Aaaallsooo,a secondary authentification system,like user:pass would increase security.
ps:I apologize for any possible grammar mistakes,i wrote the article in a hurry.
[RO]
