Identify Website-Visitor without cookies/localstorage

04/26/2017 19:11 Shadow992#1
Heyho together,

I need a solution to kind of make sure that one user is only visiting a special site once without registration/login. It is not too important to have a 100% identification rate. I already found a few ways to achieve this : [Only registered and activated users can see links. Click Here To Register...]

However I thought about combining them all with the following things:

- Rough IP location (Country-Level)
- Windowsize of Browser
- Old approaches like localstorage/cookies (which can easily edeleted)
- Browser used
- Popup-Blocker enabled?

Can you think about more features which I could combine with the features mentioned earlier so I can identify if a user visited this website already? Just write any idea you have. So just do some kind of brainstoming, maybe on this way we are able to find other possibilities. :)

Important note: It is not possible to use any 3rd party libraries. Yeah I know this sounds stupid, but it is just not possible for me.

Thanks in advance! :)
04/26/2017 23:52 False#2
Spontan würde mir nur noch das OS einfallen.
04/28/2017 08:36 atom0s#3
What language(s) do you have access to on the system hosting the site? This would help determine what types of things can be used.
04/28/2017 18:14 Shadow992#4
Quote:
Originally Posted by atom0s View Post
What language(s) do you have access to on the system hosting the site? This would help determine what types of things can be used.
Any language I want. However in general there should not be any problem because each website which uses Http-Requests (99%) can extract the same values.

However I saw "fingerprintjs" just a few days before. This seems great, even though it is a 3rd party lib. But I guess I will use some basic Ideas implemented there even if it is easy changeable. I mainly need some more ideas which can not be changed that easy (so some server side checks, captcha like things etc.).
04/28/2017 22:20 atom0s#5
If you can use any language you want, why not just use PHP's build-in session handling? That is how most forums, such as this one, manage sessions for user logins. Along with a MySQL backend to store username/passwords which if you can't do that you can create some flat-file method of storing them instead.

Look at something like Dokuwiki that is 100% flat-file based and allows user logins and so on.
04/29/2017 07:50 Shadow992#6
Quote:
Originally Posted by atom0s View Post
If you can use any language you want, why not just use PHP's build-in session handling? That is how most forums, such as this one, manage sessions for user logins. Along with a MySQL backend to store username/passwords which if you can't do that you can create some flat-file method of storing them instead.

Look at something like Dokuwiki that is 100% flat-file based and allows user logins and so on.
Delete Caching/Cookies --> RIP solution or if you deactivate Cookies at all. Also I already mentioned to also use it combined with the other methods. However it is not enough as only method because it can be circumvented too easily.
04/29/2017 16:01 #Metho#7
Es gibt sicherlich besseres als den Screen auszulesen, aber ich habe mir zu deine Screen-Theorie ein paar Gedanken gemacht und hier ein Lösungsansatz gecodet:

1. Auslesen der Pixel/Zoll Relation:

Code:
window.getPixel = function() {
    var testElement = document.createElement('div');
    var inchToPixel = 96;
    testElement.style.width = '1in';
    document.documentElement.appendChild(testElement);
    var inchToPixelAvail = parseFloat(window.getComputedStyle(testElement).getPropertyValue('width'));
    testElement.parentElement.removeChild(testElement);
    var inchToPixelRelation = 1 / (inchToPixelAvail / inchToPixel);

    return function(pixel) {
        return pixel * inchToPixelRelation;
    };
}();
Dann die Screen Breite und Länge:

Code:
/* width: */
window.getPixel(window.screen.width);

/* height: */
window.getPixel(window.screen.height);
Etwaig noch was anstellen mit screen.colorDepth und screen.pixelDepth.

Wenn du zu den anderen Möglichkeiten auch noch einen Tipp bzw. Gedanken von mir willst, sag' bescheid, dann verfass ich ein bisschen was Ausführlicheres zu den anderen Möglichkeiten zum Identifizieren eines Nutzers.

#edit:

Ich habe mich nochmals darangesetzt und es ein wenig erweitert

Code:
var getUnits = function() {
    /* element prototype */
    var element = document.createElement('div');
    document.documentElement.appendChild(element);

    /* element style */
    var style = window.getComputedStyle(element);

    /* css units */
    var units = [
        'px', 'in', 'pc', 'pt', 'cm', 'mm'
    ];

    /* evaluate units */
    var relations = [];

    for (var i = 0, l = units.length, unit; i < l; i++) {
        unit = units[i];
        element.style.width = 1 + unit;
        relations[unit] = window.parseFloat(style.getPropertyValue('width'));
    }

    document.documentElement.removeChild(element);

    return function() {
        return relations;
    };
}();
Und Statusbar etc.:

Code:
/* statusbar width */
var statusBarWidth = screen.height - screen.availHeight;

/* ... */
screen.width - screen.availWidth; /* etc. pp. */
Zudem könntest den navigator (navigator.appName, navigator.plugins etc. pp.) auslesen und daraus Plugins und Browsername speichern.

Du könntest den HTML/CSS Reminder nutzen um dort Speicher abzulegen, ...wie z. B ein IFrame erstellen und dort history.scrollRestoration auf auto setzen und dann scrollTop, scrollHeight etc. analysieren.

Oder ein komplettes Abbild vom ganzen Window.window Element... überprüfen ob Bilder deaktiviert sind usw.
04/30/2017 03:41 atom0s#8
Quote:
Originally Posted by Shadow992 View Post
Delete Caching/Cookies --> RIP solution or if you deactivate Cookies at all. Also I already mentioned to also use it combined with the other methods. However it is not enough as only method because it can be circumvented too easily.
Basing authentication on random junk like window size and so on is just asking to be exploited. If you are not going to take people's security serious and want to just throw some shit site together, go ahead. But I'd suggest you rethink what you are doing and do things proper and secure.
04/30/2017 10:50 Shadow992#9
Quote:
Originally Posted by atom0s View Post
Basing authentication on random junk like window size and so on is just asking to be exploited. If you are not going to take people's security serious and want to just throw some shit site together, go ahead. But I'd suggest you rethink what you are doing and do things proper and secure.
Everyone thinks it is easy to exploit until someone comes and proves the opposite. ;)

But thanks for your feedback, even though you may think it is not helpful, you really helped me with this answer, too. I now know, that I have to convince potential users of this system and to emphasize the security solutions to get rid of exploits.

I am still open for any more suggestions/feedback! :)
05/01/2017 01:29 atom0s#10
So far everything you have shown is going to land up being client sided scripts. Meaning all of your checks and protections are going to be easily visible to the user. You said you can't use various libraries and so on, which means you are limited to what is done on the server. Like I said already, this does not sound like you should be doing anything security related then because it is not going to be secure. You can assume you 'proved everyone wrong' but when your site is hacked or accessed when you didn't want it to be, that'll say otherwise.

I suggest you find a better solution/host that doesn't cause whatever limitations you are running into now and develop real proper security measures to prevent such problems in the future.
05/05/2017 05:59 Yiv#11
In respect to this site [Only registered and activated users can see links. Click Here To Register...] there are several options to identify a browser.

Quote:
  • The user agent string from each browser
  • The HTTP ACCEPT headers sent by the browser
  • Screen resolution and color depth
  • The Timezone your system is set to
  • The browser extensions/plugins, like Quicktime, Flash, Java or Acrobat, that are installed in the browser, and the versions of those plugins
  • The fonts installed on the computer, as reported by Flash or Java.
  • Whether your browser executes JavaScript scripts
  • Yes/no information saying whether the browser accepts various kinds of cookies and "super cookies"
  • A hash of the image generated by canvas fingerprinting
  • A hash of the image generated by WebGL fingerprinting
  • Yes/no whether your browser is sending the Do Not Track header
  • Your system platform (e.g. Win32, Linux x86)
  • Your system language (e.g. en-US)
  • Your browser's touchscreen support
Some of those stuff feels static and should only change once in a while. If its true that the methods does not have to work 100% you can go with them but you have to keep in mind that everything the browser is sending can be manipulated so there is no 100% chance to keep track of a user - you can only try your best.

Regards
05/06/2017 11:58 Menan#12
Just use Fingerprinting Shadow :)

1. Log everything in the Browser Agent, the Browser gives you.

And i guess the best method is to use canvas rendering and track the canvas rendering, i guess this can also be done with WebGL. Someone once told me, that the canvas rendering is pretty good to identify computers.

Also you could try to store flash cookies, which are harder to delete as normal cookies.
06/04/2017 13:27 iSynaptic#13
What about Java?

It would be very effective since you can retrieve the MAC Adress of the current device ( still not save against mac spoofing ) and also all other informations a ordianarry web request would provide.

For IE ActiveX Objects are also good for this kind of things.

It is important to NOT use things like Browser Window Size because it would be very uneffective.
06/04/2017 19:00 Der-Eddy#14
Quote:
Originally Posted by iSynaptic View Post
What about Java?

It would be very effective since you can retrieve the MAC Adress of the current device ( still not save against mac spoofing ) and also all other informations a ordianarry web request would provide.

For IE ActiveX Objects are also good for this kind of things.

It is important to NOT use things like Browser Window Size because it would be very uneffective.
too bad that every browser blocks java applets by default