Confirming a user is valid
I have a server architecture set up in which a user would connect using this code:
It is then up to the client's packets to confirm with the server a login username & password, and so on.
new Socket("localhost",1234); // Placeholder name/port
Now here's my question: How can I confirm that a user is running the applet from *my* website, and not from another? Or alternately, confirm that they are, at least, running an unaltered version of the applet?
I had a few ideas:
1. Send a CRC check of the applet file from client to server to confirm. This, however, could be forged.
2. Send a confirmation hash from the client to server (which could also check for updates). Could also be forged.
3. Update a MySQL database when the user opens the page that says they are allowed to check in. Remove entry from database after an inactivity timeout.
I'm most fond of option #3 but I'm looking for other opinions or ideas from people who've been in this kind of situation before. Security is fairly important here, so I want to make sure as possible that the server is receiving no forged connections.
Thanks in advance, I appreciate all the help you guys offer!