Genuine unique identification of PCs in html based websites
https://stackoverflow.com/questions/4230935
-
26-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Imagine a website that uses google gears as a storage mechanism for various application level data. This data is intermittently replicated with a server using Asynchronous webservice calls while the application is active.
The problem lies in the subscription monitoring mechanism. Imagine a subscription system to this service based on unique PC’s. How does a webservice uniquely identify a PC (or more specifically a webbrowser) that is synchronising data with it?
My natural first idea was storing a GUID in the local database per machine and sending it off with the request but if one looks at the google gears storage documentation you discover that the database is unencrypted and can easily be tampered with (attaching to the sqllite file is all that is required and can be accomplished using various tools).
What I’ve been thinking recently is surely there is someway to calculate a signature that is repeatable per machine yet unique using only javascript? So far an implementation of this has eluded me (if only navigator.userAgent.uniqueID existed – although wouldn’t do much for privacy).
Last thought is obviously to write a ActiveX control and firefox plugin to provide this functionality but this would be a huge pain in the ass...
Any insights would be appreciated.
Solution
Your idea of using a GUID in the local db isn't a bad idea. You could expand on that further by allowing the server to issue the GUID for the local DB when connected. Then save the valid GUID for Replication on the server. If that machine begins the replication process with a GUID that matches a valid GUID on the server then they would be authorized to send their data. On top of that you could expire and reissue GUIDs from time to time with the local databases. Finally I would also be wise to manage the number of GUIDs released to a single user. If a user authenticates with username jdoe the only person allowed to use the GUID issued to jdoe is jdoe. (Maybe username isn't the best secondary identifier but using something like this can assist you in keeping false data from being introduced into the system)
