Re: fingerprinting and HTTP_USER_AGENT — PHP Programming Language

You are here: Re: fingerprinting and HTTP_USER_AGENT « PHP Programming Language « IT news, forums, messages

Posted by Jerry Stuckle on 11/14/05 14:54

Marcus wrote:
> I have read quite a few articles on "fingerprinting" a user when they
> start a session. Chris Shiflett has a good article here:
>
> http://shiflett.org/articles/the-truth-about-sessions
>
> However, this part of his (and all the other similar articles) doesn't
> make sense to me.
>
> session_start();
> $fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
> $_SESSION['fingerprint'] = md5($fingerprint . session_id());
>
> "With a fingerprint that is difficult to guess, little is gained without
> leveraging this information in an additional way than demonstrated thus
> far."
>
> I don't really understand how this is more secure than just feeding
> $_SERVER['HTTP_USER_AGENT'] into md5() without the secret seed, but I
> must be missing something because everybody that talks about
> fingerprinting seems to advocate adding a seed.
>
> I am confused because as far as I can tell, every subsequent request the
> user makes really only depends on $_SERVER['HTTP_USER_AGENT']. If an
> attacker can successfully spoof this value, what does any of the
> secretstuff matter? In order to check that we have a "valid" browser
> after the initial saving in the session, we will have to re-supply the
> seed and md5 representation after every submission of the user agent.
>
> Given the above code, the only scenario I can envision in which we can
> successfully match up this info would be something along the lines of:
>
> $fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
> if(md5($fingerprint) != $_SESSION['fingerprint'])
> {
> // prompt for password
> }
>
> called on each page, which to me doesn't really add any security since
> we are providing what secretstuff is on every page.
>
> Sorry for the length, and thanks in advance.

Marcus,

Did you ask him about it? He should be able to justify his position.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Navigation:

Next in forum: Re: fingerprinting and HTTP_USER_AGENT
Prev in forum: Re: Help: php website access problem
Thread view: Re: fingerprinting and HTTP_USER_AGENT

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация