How to allow only certain devices to access django web aplication?

I’m developing a django web-based application system and I want to restric access using only your work device, i want the users can log in only from your work device and deny from others devices.
It’s not possible use ip because it’s change all the time , security inssues.

I’m thinking about mac address or some way to restrict but I don’t know how the best way to do this.

Thanks in advanced

Simple answer is that you can’t.

There is absolutely nothing you can check on the server side that definitively identifies the requesting device.

Certificate-based authentication uses a digital certificate to identify a user, device, or machine, before granting application, network, or resource access.
How can i use Certificate-bases authentication with django?

Thanks in advance

Yes you can use digital certificates with Django.

No, it does not identify the originating system. Digital certificates can be copied between systems. Technically speaking, it doesn’t identify the person using the browser, either. All it does is identify the individual to whom the certificate is issued.

While you can implement that at the Django layer, I would typically recommend against it. You’re better off performing that level of authentication at either your proxy or web server layer.

so the problem is that it’s an application that is on-premise and I don’t have access to the client’s infrastructure.
I need a web solution to identify the machines that the customer will authorize within his structure but it cannot be the IP that was normally the system used, pis for some customers the ips of the machines changing all the time for an internal security issue of those customers. At the moment I’m thinking of doing something using MACADDRESS

Two (three) problems with that:

1 - MAC addresses don’t get passed through routers. The MAC address you’ll see in your application will be the MAC address of the last router that packet passed through on the way to your server. The only time you will get the actual MAC address of the originating machine is if it’s in the same broadcast domain.

2 - MAC addresses aren’t globally unique. It doesn’t uniquely identify a device.

3 - MAC addresses are easily spoofed. Even more easily than IP addresses, since there are no routing issues to contend with.

If you don’t have control over the client’s infrastructure, you have no control over what devices access your application.

Let me repeat that again -


There is not a solution that you can come up with that can’t be circumvented if you don’t have complete control over the network. (And even then there are frequently workarounds if you don’t have complete control over the computers that do have access.)

I found a good solution to generate a unique ID for the person who is accessing the web application, instead of generating a hash using computer data, I think of using data provided by the browser. searching by fingerprint I came up with the following code that I believe is very useful to be used as an identification in the web application:
Thanks in advance for KenWhitesell’s help, thanks my friend

It still doesn’t identify the device.

Whatever data is sent by device “A”, device “B” can be set up (or programmed) to send the same data.

So no, it does nothing to prevent someone from using a personal device.

You still have not shown a method capable of restricting access by device.

If you’ve got someone telling you that you need to restrict access by device, you need to educate them. They need to understand that it can’t be done at the application level.

Yes you are correct, but for the purpose of keeping only one access per person, or session or browser generating a FINGERPRINT will meet expectations well, first of all it is not easy, not even being able to program another browser to produce the same fingerprint. second in database authentication i will identify that there is already an active session for that user with that fingerprint i.e. even if the person programs another computer it would be very difficult to produce the same fingerprint it is still limited to a single session per user and password.

It is an onpremise system with a limited amount of users internally in the company, this level of access for my case will already greatly increase the level of security that was previously used only via IP or TOKEN (which can be moved).

But you’re correct, it doesn’t precisely identify the machine, but it serves my purposes :slight_smile:

This statement is false. The developer tools and other settings available in both Chrome and Firefox make this trivial.

None of this is necessary if all you’re trying to do is prevent two people with the same account from logging on at the same time.
And none of this helps you prevent someone from logging on with a personal device instead of their work computer if they’re not currently logged on with that work computer.

This is the very definition of “Security Theater”. You are taking steps that are going to give an uneducated individual the impression that you have improved security without having done so.

1 Like

You are correct, it will not identify the machine, I will think a little more, and maybe I will come back with some update, I unchecked the box as a solution and I will research more, thank you very much for the help and the time spent to help me in the analysis. :slight_smile:

You can do all the research you want, but you won’t find a solution.

You’d be better off spending your time studing networking fundamentals and the HTTP protocol. Once you understand how they work, then you’ll understand why this is a futile effort.

hey, after reading this post Iv’e gotten lost.
if i want to prevent a user from passing his account to his friends is it doubable?
can I program the webserver to enable only one device per user? say each user can login only with his own pc? (lets say my users are not hackers nor developers just normal people, so if it can be hacked via js so be it)

if so, how?




The nature of the http protocol is that you have no control over the client from within the application layer.

ok, thanks.
do you have any idea on how to make it harder to pass the account?
the fingerprint can work?

Please re-read this entire thread. You are wasting a lot of time trying to worry about this. The only solutions are administrative and procedural. (e.g. Terminate an employee who has shared their account.)