Unique web browser identification ID for web control panel logins in Perl

Question

Do web browsers have a unique ID that can be passed on to Perl scripts? (Like a unique serial - like products that you buy in the shop have for example)

For instanc

Answer 1

Browsers do not have a unique ID, but a good level of fingerprinting is possible. The EFF has measured that, in the best case, information sent by browsers (including the user agent string and other HTTP headers) represent 18.1 bits of entropy, which means if you take two browsers at random, you have 1 chance in 2^18.1 (≈280,000) that they will have the same "fingerprints". They have set up a website where you can estimate the degree entropy of the information sent by your browser.

Some websites use this. My bank, for instance, stores information about the three browsers I use most often to connect to their website, and ask me additional verification questions whenever I'm not using one of those.

On the other hand, all this information is entirely spoofable: if someone is able to carry a man-in-the-middle attack and steal a cookie, they are able to steal also all the headers sent by the browser, and can reuse them to authenticate themselves on your website. The same would be true if browsers actually had unique IDs.

Your alternative, besides using a connection encrypted with SSL (https) which requires you to either pay for a signed certificate or create a self-signed one that will display a security warning to your visitors, is to adopt better practice against session highjacking.

For one thing, it is not standard to keep the username and password, even if encrypted, in the cookie. What you should do is, once a user has logged into your website, assign them a random, single use session ID which you will store in your database along with an expiration time (which you may extend every time the user interacts with your website), and this to them in a cookie.

If you want an even higher degree of protection, one option is to change the session ID every time the user sends an HTTP request. You could also store a list of IP addresses each user uses to connect to your website, or IP address masks (e.g. X.Y.*.*) if it changes too often, and have them authenticate themselves if they are connecting from an unusual place. If you do this, it is a good practice to ask them "Will you be connecting again from this place?"

Answer 2

Even we can use localstorage, sessionstorage and also cookies as well to implement this.. but wen these data s visble to user, so better to keep this encrypted

Answer 3

No, browsers don't have a unique ID. There is no such thing. If there were such a thing, it would be an online advertising company's dream!

That said, if you're serving up your site via HTTPS, you can issue your clients with client-side X.509 certificates. These would be cryptographically signed by your organization, so fairly unforgeable. (Though obviously if somebody had access to your client's computer they could make a copy of it - the same would be true of any browser ID number though!) Once the certificate is installed, every time the browser makes an HTTPS request to your website, your website can ask for its certificate, and this can be used to verify the user's identify.

Answer 4

You can store some unique values (e.g.: user id) in the user browser using "Html Local Storage" permanently with no expiration date, and store the same values with info about the user agent in the db.

Then you pass the user agent info with the data in the local storage and match it with the ones in the database...

// store
localStorage.setItem("myValue", "123-abcd");

// retrieve
var myValue = localStorage.getItem("myValue");

I'm not sure how much secure is this approach to identify users, but the Html Local Storage supposed to be accessible for only pages from one origin (same domain and protocol).

There is also "HTML Session Storage" to store data in the users browser for only one session.