In web application development, how can I uniquely identify an user when cookies are not an option and IPs are dynamic? Are the patterns which I can combine and then created a hash to be used as a UID?
Asked
Active
Viewed 4,936 times
3
-
2Why you cannot use cookies? No normal cookies, or no local storage too? – ThoriumBR Jul 30 '15 at 21:24
-
Are you making a service that requires a login? It would be silly to do this, but you could theoretically have every request require re-authentication (preferably in the form of a link with a unique code passed to the user for their browser to pass back, and not force them to enter login information every time). Otherwise, you'd have to rely on methods that might be tricked. – childofsoong Jul 30 '15 at 21:27
4 Answers
3
Before cookies existed there was a form of authentication called "basic access authentication" This form of authentication sends the username and password with each request. It's still used in some primitive web applications. Remember though that this doesn't provide any encryption of the password, so you MUST use https, otherwise an attacker can trivially learn the password.
Steve Sether
- 21,480
- 8
- 50
- 76
3
Some solutions:
- Evercookies
- @DavidJ.Liszewski comment pointed to panopticlick: actually there is an opensource implementation of it called jquery.browser-fingerprint.js
- For users who enable Flash, you can uniquely identify them using Flash cookies.
- Browser canvas fingerprinting
schroeder
- 123,438
- 55
- 284
- 319
2
There are a couple pieces of info you can gather to try to keep track of a user without a cookie, but neither is perfect and you will lose some identities and mistake others.
- Browser fingerprinting, which gets as much info as possible from the browser to uniquely identify it.
- IP location tracking, which checks the IP to find the geographic area it is allocated to. When the IP changes because the user just switched from data to wifi or switched between wifi networks, the IP should still be within geographic proximity.
To further your search: Single-Sign On has to deal with this issue because cookies are domain specific and SSO links users between domains, so ID has to be maintained without cookies.
ztk
- 2,247
- 13
- 22
-
2Obligatory link regards first bullet point: https://panopticlick.eff.org/ – David J. Liszewski Jul 30 '15 at 23:38
0
With HTML5 came some alternative solutions to store informations on the client side like local storage or browser database.
Some details are available here: http://www.html5rocks.com/en/tutorials/offline/storage/
Jcs
- 989
- 8
- 12