开发者

How to detect if user is connecting from a recognized computer?

On many banking and investment websites, the site prevents users from logging in from an unrecognized computer without first answering an additional question or activating that machine. How do developers typically create this feature?

For example, here is the message that Salesforce.com gives when I connect to my account from an unrecognized machine:

How to detect if user is connecting from a recognized computer?

We're trying to do the same type of thing from one of our applications, but aren't sure about the best (and most secure) approa开发者_JAVA技巧ch.


There are many possible approaches to do this, but typically they're using some combination of the following:

  • IP range you're connecting from
  • your host name
  • presence of cookies on your computer left by the site after a successful authentication
  • user-agent string

If you have too many differences from one of your existing trusted connections, the machine is considered untrusted. Where the line is drawn for "too many" is a tradeoff between security and convenience.


There is no truly secure approach, you could do it based on IP address, but that is often dynamic, you could do it on cookies but they're far from secure, you could do it on MAC address but you'd need to use Java (IIRC) to access that, but that again can be spoofed...

There is no real way to check if the computer they're connecting from has ever connected before. You can probably find "hacks" to sort of do it, but it's never going to be secure.


You can set up a cookie on users machine and later on check if that cookie exists and contains a proper value. If the cookie doesn't exist, then this computer is a new one, otherwise this computer has been here before.

The cookies value can be some random hash, with different attributes, for example IP address, user agent, etc...


The Electronic Frontier Foundation (EFF) has set up a demo web site showing how astoundingly easy it is to identify a browser even if cookies are disabled or you are connecting from a different IP/provider:

Panopticlick: How unique - and trackable is your browser

They use a combination of

  • User agent string
  • HTTP headers
  • Installed browser plug-ins
  • Time zone
  • Screen size and color resolution
  • System fonts
  • Cookie settings

However, the typical scenario (and probably the one used in your sample application) would be to store a cookie locally and identify the returning user via this cookie.


The most secure approach is undoubtedly to issue client certificates, and have the server check the certs on connection (make sure and use a revocation list!). This has quite a lot of administrative overhead, but works.


Most top sites use Flash cookies to track unique visitors. Flash cookies are similar to regular browser cookies yet are not cleared when a user switches browsers or clears the browser history.

Read that again: you can try to clear your history or switch browsers, or even use chrome's "incognito" mode, and Flash cookies will still remember who you are. They're tied to the Flash install rather than the browser.

Wired has an article about them here: http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/

Despite Wired's warning about flash cookies, they themselves use flash cookies to track visitors. Go figure.

Within Flash, they're called "SharedObjects." See more on how to use them here: How do I access cookies within Flash?

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜