Perspective security

pkhoshroo · December 2, 2021, 8:19pm

Hello all,

I am trying to add security to my project so that the user with specific IP addresses can log in. I can do this for my vision client with this script:

ipaddress = system.tag.read("[System]Client/Network/IPAddress").value
if ipaddress == "100.168.2.56":
	system.security.logout()
else:
	system.security.lockScreen()

But I am not able to do the same thing in session event script using this script:

ipaddress = system.net.getIpAddress()
if ipaddress == "100.168.2.56":
	system.security.logout()
else:
	system.security.lockScreen()

Should I use a security zone for this? That one will only allow for some specific policy not log in/log out from a perspective project.

lrose · December 2, 2021, 8:27pm

In perspective this script will be run on the gateway, and so will only return the Ip address of the Gateway Server.

Due to browser security, I would guess it would be impossible to get the IP address of the users PC.

As an aside, why would it matter what IP a user opened a client from? This is exactly the thing that Users and User Roles are made for. If an unauthorized user logs in with invalid credentials then they wouldn’t have access.

pkhoshroo · December 2, 2021, 8:29pm

Thank you! The thing is sometimes we want to be able to detect the IP address of the user and location they are in and then give them access. For example, a remote user with the IP of 1.2.3.4 cannot log in to the perspective project.

I also tried this script on gateway events too but it did not work.

JoeF · December 2, 2021, 8:31pm

Agree that you should be using security roles if possible.

But if you absolutely must use IP address to facilitate this, try using session properties like session.props.host or session.props.address in conjunction with system.perspective.logout() or system.perspective.closeSession()

lrose · December 2, 2021, 8:52pm

From the manual:

Returns the IP address of the computer that the script was ran on. When run in the Gateway scope, returns the Gateway IP address. When run in the Client scope, returns the Client IP address.

system.net.getIpAddress() will return the Gateway's IP address.

When you say it didn't work, does that mean you got an error, or it didn't do what you expected?

I believe that Security Zones are the answer to this particular issue. Then rather than granting access based on an IP address, you would grant it based on a security zone.

pkhoshroo · December 2, 2021, 8:54pm

It did not work the way I expected. So it did not logout the user nor witched the use based on IP

swolnisty · December 2, 2021, 11:53pm

Something that you hinted at with your suggestion but did not outright say is that those system.security functions in @pkhoshroo’s initially posted scripts are specifically Vision client-scoped functions, and as such will not run in a Perspective session.

As you said, I think a change script on session.props.address (assuming OP is using a recent enough version of Ignition to have access to this property) that evaluates whether the IP address is allowed or not is likely the best bet.

cmallonee · December 2, 2021, 11:55pm

You should create a new security ZONE which “black-lists” the IP address (or white-lists the range of IPs which do not include the bad IP address), and then your project should require that security zone.