| Subject | Re: AW: [firebird-support] Terminal Server |
|---|---|
| Author | Lester Caine |
| Post date | 2004-08-05T21:33:34Z |
Steffen Heil wrote:
cookies. I am going to have to get the users to log onto TS individually
and then log into the application - I think. That takes some time, but
they will just have to put up with extra minutes on serving times :)
( A 'user' will go into an interview room and call a client - currently
login and call takes seconds because the browser is left open on a
generic login )
rooms - must not have access to back office information - so some IP
addresses have security lockouts. That is being compromised by TS and
since the customer does not know there is a problem we now have to work
round the LEGAL requirements. Browser IP lockout works perfectly, some
data can only be accessed from specific terminals in secure areas! At
least now we know why we can't do that with TS.
check that the information should be available at a particular location
;) Different userid's for different areas is just not practical ;(
independent / browser independent operation. I just don't know how to
tell the customer that I can't supply a system that meets their
requirements on a Terminals Server System. At least we did say that
making that end work would be down to them ;) but now I have to say why
it won't :(
--
Lester Caine
-----------------------------
L.S.Caine Electronic Services
>>Main problem is PHP sessions are being shared across all clients, becauseThere are several COPIES running, but they share the same set of
> there is actually only one copy of the browser running.
>
> No. Every terminal server session has it's own processes. So there should
> are at least as many sessions as clients connected.
cookies. I am going to have to get the users to log onto TS individually
and then log into the application - I think. That takes some time, but
they will just have to put up with extra minutes on serving times :)
( A 'user' will go into an interview room and call a client - currently
login and call takes seconds because the browser is left open on a
generic login )
>>Does anybody know if it is possible to identify the client machine theThe LEGAL requirement is that terminals in public areas - like interview
> other side of Terminal Server - as I use it as part of the security checks,
> and restrict access to the data where a terminal is in a public area -
> independent of who logs in.
>
> You want to do this from an PHP script on the server? There is propably no
> way, but THIS IS secure, since you DO NOT WANT your browser to send out any
> information about your windows session, right? Browsers do not send the
> computers name at all, computer names can be reconstructed by ips though.
> The problem is, that every terminal session uses the same host ip.
rooms - must not have access to back office information - so some IP
addresses have security lockouts. That is being compromised by TS and
since the customer does not know there is a problem we now have to work
round the LEGAL requirements. Browser IP lockout works perfectly, some
data can only be accessed from specific terminals in secure areas! At
least now we know why we can't do that with TS.
>>I can't believe that this simple security step is not available - orAs you can see from the first two points. UserId is not a sufficient
> perhaps I can - it is Microsoft.
>
> Actually it is absolutely possible to get an unique connection identifier
> and maybe even the clients name (but I believe, that would need some hacks),
> but not though the browser and php sessions from the server. I would
> consider THIS a security lack.
check that the information should be available at a particular location
;) Different userid's for different areas is just not practical ;(
>>So is there any way round it or do I just tell the customer that theyForget it - the whole point of the last four years work was to get OS
> can't have THAT particular security lock ;) I've already got to rebuild the
> session software to run server side rather than client and 'enable' other
> possible security leaks :)
>
> If you have control over all clients, there might be a way, using a
> self-signed ActiveX control to send client information, and you could
> register you self-signed cert on that terminal server. Inside that activex
> control, you could use terminal services API to get the connection IDs.
independent / browser independent operation. I just don't know how to
tell the customer that I can't supply a system that meets their
requirements on a Terminals Server System. At least we did say that
making that end work would be down to them ;) but now I have to say why
it won't :(
--
Lester Caine
-----------------------------
L.S.Caine Electronic Services