NYCPHP Meetup

NYPHP.org

[nycphp-talk] Question about obtaining MAC address

Hans Zaunere lists at zaunere.com
Fri Sep 23 05:42:02 EDT 2005


Hi Anthony,

Anthony Papillion wrote on Friday, September 23, 2005 1:57 AM:
> Does anyone know of a reliable way to obtain a site visitors MAC
> address? I ask because I am creating an application that needs to be
> very secure and I was thinking about using each users MAC address as
> the authentication key in addition to a login/password.

Sorry to say, but that's the wrong strategy for secure authentication.
There are a number of reasons, with the top-two being:

-- MAC addresses can be spoofed
-- you can't capture a MAC address of someone across the Internet.
MAC/hardware addresses don't go past a router (level 2 of the network stack,
I believe) and thus are only visible on a local LAN.  And, if a switch is in
place, as is generally the case these days, you'd only see ARP requests for
the MAC anyway.

The best way to handle security is generally a well constructed
username/password strategy.  If, however, you have close contact with each
user, SSL client/server certs may be a practical secure solution.


---
Hans Zaunere / President / New York PHP
   www.nyphp.org  /  www.nyphp.com





More information about the talk mailing list