Note: This is a logic/security question, not really a 'how to' for PHP.
First the background...
I want to restrict access to a company INTRAnet website to only people who are using a company computer (Windows or Linux) and who are connected to our company network 'in office' or remote via VPN.
At the moment users log in with their company userid and password, which are authenticated via LDAP, for every session. I want to make life a little easier for them and allow them to use a 'remember me' option at login and then store some information in a cookie.
The information I thought of putting in the cookie is their username and either the client IP address or client MAC address and setting an expiry of 30 days for example. On a subsequent login then existence of this cookie indicates a valid user and valid client are being used, so no need to login again (pass-through).
Now the question(s)...
Is it the case, that a system call from PHP will only return an IP or MAC address if the client is authorized on and connected to our corporate network? If this is true then by reverse logic, getting a null return value from one or both of these addresses means the client computer is not authorized to connect to our corporate network - is that correct? Is there a better way (more secure way without having users forced to log in each session) of solving this?
Thanks in advance.
