Posted by Marcus on 11/14/05 10:10

I have read quite a few articles on "fingerprinting" a user when they
start a session. Chris Shiflett has a good article here:

http://shiflett.org/articles/the-truth-about-sessions

However, this part of his (and all the other similar articles) doesn't
make sense to me.

session_start();
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
$_SESSION['fingerprint'] = md5($fingerprint . session_id());

"With a fingerprint that is difficult to guess, little is gained without
leveraging this information in an additional way than demonstrated thus
far."

I don't really understand how this is more secure than just feeding
$_SERVER['HTTP_USER_AGENT'] into md5() without the secret seed, but I
must be missing something because everybody that talks about
fingerprinting seems to advocate adding a seed.

I am confused because as far as I can tell, every subsequent request the
user makes really only depends on $_SERVER['HTTP_USER_AGENT']. If an
attacker can successfully spoof this value, what does any of the
secretstuff matter? In order to check that we have a "valid" browser
after the initial saving in the session, we will have to re-supply the
seed and md5 representation after every submission of the user agent.

Given the above code, the only scenario I can envision in which we can
successfully match up this info would be something along the lines of:

$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
if(md5($fingerprint) != $_SESSION['fingerprint'])
{
// prompt for password
}

called on each page, which to me doesn't really add any security since
we are providing what secretstuff is on every page.

Sorry for the length, and thanks in advance.

[Back to original message]