If a person clears their cookies and changes their IP address, is there ANY way for a website to identify that computer as a computer that has "been here before"? In other words, no identifiable information like MAC can ever be known over HTTP, right? (I've looked through the list of headers and only see cookies and user-agent).
Also - same goes for a mobile device. If the mobile clears cookies, is there any way to identify it as a repeat visitor?
Thanks!
Chad
If you look at a site such as browserspy, you will see that a website can find out quite a bit more from a browser then the stuff you see just by looking at your request headers. And security researchers have done some investigation of the idea of uniquely identifying a browser based on those characteristics (e.g. what plugins you have installed, what fonts you have installed, etc.). But nothing like this is truly reliable (for one thing, much of this will change simply by switching to a different browser on the same computer). There is certainly no "official" unique identifier such as a MAC address.
Not at the application level. As you correctly determined, the user can change everything that is sent in an HTTP request.
As for the MAC address, the MAC address is used in the link level of the internet protocol. It is not transmitted along multiple hops when making any sort of internet communication, thus unless you are 1 hop away from the client, you cannot use this information either.
Bottom line, can't really be done. If someone really wants to be forgotten, then they will be forgotten.
There are other ways to identify individual users without cookies -- based on a variety of information leaked by the browser and associated plugins. Check out Panopticlick for an example. It's probably not as effective with mobile browsers because (as far as I know) they don't have plugins like desktop browsers.
As others have said, no, there's nothing you can do for normal browser access.
For mobile devices (at least via WAP) there is an extra CGI parameter (the name of which escapes me) which the gateway is suposed to populate with an identifier which is unique to that mobile devices phone number - however implementations vary.
C.
If there were a (toggle-able) program available that would intercept the requests for the font-list at the O/S level, and return a bogus list, resembling a machine's list right after the O/S has been installed -- and perhaps the list could be modified slightly each time by including or excluding some randomly chosen font not from the basic list-- then a huge percentage of the identifying bits could be removed from your browser's "fingerprint", and you're no longer uniquely identified but blend in better with the herd or the flock.
Related
I'm trying to get the visitor's country code from Cloudflare through the header HTTP_CF_IPCOUNTRY.
When I use this, I receive the correct country code I am visiting the site from, although this code can change at times.
For example; my country code is supposed to be LK which is shown correctly throughout my site for majority of a session, but sometimes if I navigate to a subpage, open the site in incognito / different browser, change network connections or view from another machine, the code may change, sometimes I get a different code for each page I visit.
There is no pattern to the country code changing hence why I use the word "sometimes" and seems to be random.
I'm not using any proxies or VPNs on top of my internet connection, and my IP remains the same whenever the issue arises.
Does anyone have to faintest idea as to why these codes might be changing?
The entire technical foundation for geolocation-by-IP is fairly weak and not a precise science. It's just based on large data accumulations, and all large data accumulations have some margin of error. It's entirely possible you're on an ISP which may sometimes route requests through one IP internally and sometimes through another, and that one IP is associated with one country but the other happens to be associated with another country in that large database, rightly or wrongly. Or any number of other factors why CloudFlare may see your request coming from one IP or another at times, and/or why that IP may be listed as one country or another in their database. Maybe the IP changed recently, and that updated database hasn't been rolled out to all of CloudFlare's edge servers yet, and sometimes you're hitting a server with an outdated geo-IP database.
You've just found an edge case that flipflops becauseā¦ reasons.
Recently, I was solving the problem of disabling a background video if the user was on a mobile device. Not only were the solutions very hacky, but they weren't even the right solutions. Instead of checking whether the device was a mobile, what I really wanted was to know whether the device prefers a low-bandwidth, low-battery usage version of the page.
It seems like this is a recurring problem: Don't send retina images for a low-res phone, Don't show HD videos on a low-bandwidth connection, Don't use highly-detailed textures while playing a game etc. Also, even for the same device, these preferences pay change with time - say when the mobile has a wi-fi connection and it can handle more bandwidth or the mobile is plugged-in so that battery usage is less of a concern while playing a WebGL-based game.
So, I think the browser should indicate such preferences to the server with each request. The browser has the best information at all times. Relying on User-Agent detection seems inappropriate because it remains the same in both the above cases - when the connection type or power status changes.
Is there any web standard, a request header perhaps, that indicates browser's preferences like the above? Are there plans to develop such a standard?
This video by Brad Frost, as well as his blog contain heaps of information on this topic.
The short answer to your question: no. But for further reference, in this question are a number of methods you could try.
Sorry if this is a dumb question that's already been asked, but I don't even know what terms to best search for.
I have a situation where a cloud app would deliver a SPA (single page app) to a client web browser. Multiple clients would connect at once and would all work within the same network. An example would be an app a business uses to work together - all within the same physical space (all on the same network).
A concern is that the internet connection could be spotty. I know I can store the client changes locally and then push them all to the server once the connection is restored. The problem, however, is that some of the clients (display systems) will need to show up-to-date data from other clients (mobile input systems). If the internet goes down for a minute or two it would be unacceptable.
My current line of thinking is that the local network would need some kind of "ThinServer" that all the clients would connect to. This ThinServer would then work as a proxy for the main cloud server. If the internet breaks then the ThinServer would take over the job of syncing data. Since all the clients would be full SPAs the only thing moving around would be the data - so the ThinServer would really just need to sync DB info (it probably wouldn't need to host the full SPA - though, that wouldn't be a bad thing).
However, a full dedicated server is obviously a big hurdle for most companies to setup.
So the question is, is there any kind of tech that would allow a web page to act as a web server? Could a business be instructed to go to thinserver.coolapp.com in a browser on any one of their machines? This "webpage" would then say, "All clients in this network should connect to 192.168.1.74:2000" (which would be the IP:port of the machine running this page). All the clients would then connect to this new "server" and that server would act as a data coordinator if the internet ever went down.
In other words, I really don't like the idea of a complicated server setup. A simple URL to start the service would be all that is needed.
I suppose the only option might have to be a binary program that would need to be installed? It's not an ideal solution - but perhaps the only one? If so, are their any programs out there that are single click web servers? I've tried MAMP, LAMP, etc, but all of them are designed for the developer. Any others that are more streamlined?
Thanks for any ideas!
There are a couple of fundamental ways you can approach this. The first is to host a server in a browser as you suggest. Some example projects:
http://www.peer-server.com
https://addons.mozilla.org/en-US/firefox/addon/browser-server/
Another is to use WebRTC peer to peer communication to allow the browsers share information between each other (you could have them all share date or have one act as a 'master' etc deepening not he architecture you wanted). Its likely not going to be that different under the skin, but your application design may be better suited to a more 'peer to peer' model or a more 'client server' one depending on what you need. An example 'peer to peer' project:
https://developer.mozilla.org/en-US/docs/Web/Guide/API/WebRTC/Peer-to-peer_communications_with_WebRTC
I have not used any of the above personally but I would say, from using similar browser extension mechanisms in the past, that you need to check the browser requirements before you decide if they can do what you want. The top one above is Chrome based (I believe) and the second one is Firefox. The peer to peer one contains a list of compatible browser functions, but is effectively Firefox and Chrome based also (see the table in the link). If you are in an environment where you can dictate the browser type and plugins etc then this may be ok for you.
The concept is definitely very interesting (peer to peer web servers) and it is great if you have the time to explore it. However, if you have an immediate business requirement, it might be that a simple on site server based approach may actually be more reliable, support a wider variety of browser and actually be easier to maintain (as the skills required are quite commonly available).
BTW, I should have said - 'WebRTC' is probably a good search term for you, in answer to the first line of your question.
httprelay.io v.s. WebRTC
Pros:
Simple to use
Fast
Supported by all browsers and HTTP clients
Can be used with the not stable network
Opensource and cross-platform
Cons:
Need to run a server instance
No data streaming is supported (yet)
I have created a Business Management System which is to be used by retailers with or without multiple sites.
It is important that a logged in user identifies his/her location, or site, so that the system can perform site related tasks automatically.
I currently have a database of locations which includes an IP Prefix field, when the user goes to the log in page it looks for the first 5 digits of the current IP address, then:
If start of current IP matches a stored record it assumes user is at
that site.
If no IP matches then it asks the user which site they're in and asks them to update the IP.
This basic, and manual check works when the sites are a fair distance away or are on different ISPs for certain, the update is usually only required after a router restart and I've been using the system myself for about 4 years with no issues... BUT... I am not confident with it, so my question is; is there a better solution?
I realise the IP address is probably not the way as the best that gives me is the location of their ISP, but that's not what I need.
In case it matters I am using ASP.NET coding in VB
Also, should mention, I'm looking for desktop based application, not mobile.
I think you are going to have to rely on user input for this one. It's impossible (or at least, very very difficult) to know whether a user is using a proxy or not, and if they are you have no way of knowing where they really are. This is right and proper; would you trust every website you access with that kind of information? I sure as hell wouldn't.
You can't use the IP address to give you 100% reliable location data if your clients connect over the internet (they could be going through a proxy or as you said you might just get the ISP's IP address)
Your best bet is to use javascript to get the users geolocation: W3 Schools Example
More complex example on html5demos
No, of course it is not possible to reliably locate an user by IP Adress.
That adress can be faked, so the base of your info is not reliable.
Is it possible to know network card id of the user host computer from where the request is coming like IP address. I am interesting to know if it is possible at IIS or asp.net level or any other possible way of knowing it?
As far as getting network card information is concerned, I see little hope for you here seeing as a client's hardware profile is not something naturally pushed down the wire as a matter of course, however see:
HttpContext.Current.Request.UserHostAddress
Or
HttpContext.Current.Request.ServerVariables("remote_addr")
This value will give you the IP address of the calling client, although they may be hitting you through a proxy and therefore can't be guaranteed to be a machine specific address.
If by "network card ID" you mean the Ethernet MAC address, that's assuming a particular technology on the remote side that you have no way of knowing whether or not it is used. Sure, Ethernet is used pretty much everywhere these days, but are you willing to limit yourself to clients that use that particular hardware architecture? So even if it were possible, I doubt you'd want to go down that route.
If what you want is a unique identifier per client computer, you are probably better off issuing some sort of token yourself. A cookie with a randomly generated session ID should work fairly well.