Is there a way to get the device's unique id using JQuery/JavaScript.
I know one can detect the user agent and type of device that is being used but that is not required. I need to know the unique id that is being used.
Having said that I also know that browser is the least priviliged application running on the machine and it should be able to get that id.
But still asking if there is a way?
Not possible as far as I know.
I believe it's a security issue. Your device ID is very sensitive information that you wouldn't want just any website being able to capture.
Update:
It's not possible (without any hackery at least) to physically distinguish the computers accessing a web site without the permission of their owners. You can store a cookie to identify the machine when it visits your site again but the key is that the user is in control, and rightly so.
Related
I'm making a conversion tracking page with postback in php, for the same I need to generate a unique transaction ID on unique click.
So for tracking unique clicks I'm tracking the user's IP address with $_SERVER['REMOTE_ADDR'] and generating transaction ID by md5($_SERVER['REMOTE_ADDR']) but there is a problem. Suppose there are some users using a WiFi network or due to some other reasons they have the same IP address so the transaction ID which will be generated would be same for them because of which I will not be able to track the conversion while actually in happened because of different devices.
Can anybody suggest to me the way to resolve this problem with php or javascript?
You could generate an ID of some sort and put a cookie on their machine containing that ID that will identify that browser.
This isn't perfect, but it might get you what you need.
Another way it to fingerprint the device and store the value. For example you can use https://github.com/jackspirou/clientjs to do what you need. There are a few other libraries out there that a google search will turn up.
Another possible way.
echo getenv("username");
The username used in windows.
But cookie is better as suggested earlier
I need to develop an application that registers the device/browser that the user is using. Such as banks or better yet FB does. So for example when a person logs in the application checks to see if they have logged in using that device/browser before. If not then have them go through a verification process.
The application will be built in .Net 4, Asp.Net MVC, js, jQuery, etc..
I hoping to get some advice on what others have used to accomplish this task.
EDIT
Thanks for the comments.
Ok, so basically, if am understanding correctly, both suggestions would mean storing a uniqueid in a cookie/localStorage on a Laptop/Device and also in my DB so i can recognize it in the future.
I was hoping, to be able to get a unique ID from the machine/device that is static and specific to machine/device so that I can use to track it. My concept would mean that a user would have several devices/machines that i have logged in from.
I will also be capturing the IP but i don't want to use that Key to identifying a user.
The chances of getting a precisely unique identifier from a browser is slim to none. There are many privacy risks associated with browsers providing a unique identifier string. However, you can always generate a random GUID for a session a user establishes, and store it either as localStorage or as a cookie.
How can i generate unique fingerprint of each client?
I know must use navigator object but some properties like navigator.battery cannot use in this method.
// battery included and unique may change.
var uniqueHash = exampleHash(JSON.stringify(navigator));
How can i generate correct unique fingerprint for each user just using JavaScript and without cookie.
Cross platform and older browser also must be included.
I need list of cross browser supported by navigator.X
Note:
I don't want to generate random hash. i want to generate system base hash for each user and i dont wanna save on Cookie or Storage.
How can i generate unique fingerprint of each client?
Short answer is that you can't. It's impossible to do this for every client. You can get close using invasive profiling of the client, but you'll probably only get a unique identifier in around 90-95% of cases.
and i dont wanna save on Cookie or Storage.
Is there a reason you don't want to store data client side? If you told us what you were trying to achieve then maybe we could suggest a better way to solve the problem.
One route that may be worth looking into is using the Mozilla Persona API. It exposes a navigator.id property for consumption. Getting a unique id from a user is as simple as...
navigator.id.get(function(unique_id) {
alert("this is your unique id: " + unique_id);
})
This has the downside of requiring user authorization
Example: http://jsfiddle.net/aJsL9/1/
Simplest way to keep a session without using cookies is appending a unique hash (maybe a UUID or something similar) to the urls in the page as a get parameter:
/my/fancy/url
becomes
/my/fancy/url?HASHCODE
whenever the server receives a request, it capture the HASHCODE if present, otherwise it generates one, and then append it to all links on the served page.
Please bear in mind that the user can manipulate the HASHCODE and you should take that into account when engineering your application.
Anyway, notice that it's quite ugly in the fancy-url era. Also notice that user tracking is a delicate subject and you might incur into legal problems if you do not properly declare it in the TOS.
EDIT: you cannot track a person across multiple web sites without using cookies in any of their variants (flash, session storage, etc.) and a domain shared between sites. No way, you cannot set a variable or cookie from one domain and access it from another one in any decent browser, otherwise it would be a big security hole.
EDIT: Panopticlick cannot be used as a tracking method as you suggested, because it is based on statistical matching and it is also pretty bad at that (try browsing https://panopticlick.eff.org/ from outside the USA or with the just-released Chrome/Firefox update). It's a good proof concept, but nothing that you can use for this purpose. Also, you would need a whole lot of samples to get statistically relevant results.
EDIT: Browser fingerprint identifying power is weak: many browsers are autoupdating (like Chrome or Firefox) and official builts are very few (20? 40? Maybe a bit more if you count Linux distribution-compiled ones), so you will find a consistent portion of users with the same user agent. Add that there is a pletora of consumer PCs with similar configurations.
There are other topics like this but none of them completely answer my problem.
I'm making a website only accessible for a small group of users. (like one team)
Now they should all have the possibility to go to the website and see information for them personally. And that without having to log in. Simply said: How to recognize a user without Login.
The problem is, those users will access that webpage 99% of time with their phone.
That means they'll access it trough WiFi OR 3G network making their IP not constant and in my opinion useless to track. Then I thought about the mac address, that's one thing that stays stable. But internet suggests it's not send to browser and so "unable to track".
Questions:
Is it really impossible to track a phones mac address or does a backdoor thing exist? (javascript/php/cookie/...). I do not want an app because the phones work on lots of different platforms.
Is there any other value or constant that I can use to identify a user without login?
You could login via PHP-parameters,
so the user can save a link like that to his bookmarks:
intranet/login.php?user=vincent&pwhash=8fe4c11451281c094a6578e6ddbf5eed
You should use localStorage - that way your user can just login once into your website and then onwards you can always get/set that value.
That's impossible to get the user mac address so don't bother yourself to do some magic to get the mac address of someone's mobile phone. Well based on experience we developed device finger printing or DFP and gathered as many info as we can from the users namely external IP, browser info such us prefererred language, user-agent, etc., screen resolution, geolocation etc. Then out of that info we have some algorithms to make a scoring schemes or matching schemes then store the info to our database. Every time a user visits the site we gather again the info then match it to our records. For example user1 is then determined if he scores more than 90% matching to our records.
Our company makes the web based application which is priced per workstation.
That means that user/pass credentials should only be used from one particular machine.
Currently what is happening that several users are sharing credentials and we do not have any way to prevent this if they are not doing it concurrently.
The nature on the application is such that user needs to use it once in a while so the inability to work concurrently does not bother the users much and the company loses it's possible revenues.
The application currently is purely AJAX without flash/activeX/Java applets.
The ideal solution would be to read the computer name or IP address of the client with javascript using "Shell.Network" scripting interface.
But this is impossible because of the strict security settings in Internet Explorer. I have to mention that cross browser functionality does not matter and the only browser supported is IE.
Searching google I came across this solution here http://www.reglos.de/myaddress/MyAddress.html but it requires JAVA applet so will not be very convenient.
Are there any other solutions for this?
Your licensing model is not consistent with the delivery model. Change one of them.
Set a cookie on the machine with an id. Retrieve the cookie each time the user logs in. If you see several different cookies alternating for a single user you know you've got something odd going on.
(Of course a single switch may just mean they've moved to a new PC as one off. )
Alternatively, price per usage, 'query' or some other item.
This kind of abuse can probably be detected moderately effectively using the Cookie technique that RichH suggested. At least blatant abuse can be detected quite easily (say 10 licenced users, 100 real users).
But of course, don't lock the user out, just monitor the situation and get your Sales people to call up suggesting that they buy more licences.
We do exactly the same (in terms of licensing and delivery), and I'm sure that you have good business reasons for not changing your model.
Track through sessions per user. Do not allow multiple sessions to a single user. To achieve this you will have to save the session ID into the database and check everytime a user logs in.
To help users who at times have a browser crash and relogin with new session, allow them to sign out their previous session... so you can kill the old session and instead register the new one.
Hope this is useful.
There's no easy answer as your clients (the software) are effectively anonymous and the users are self-identifying.
For IE "locking you out" (I'm hardly an IE expert), but can't the IE settings be set for particular domains? You could simply make it a requirement that the users configure their browsers to give your app superior access.
I don't see any reason why you can't have certain requirements for the users browser (i.e. only IE 6/7/8, these security settings, etc.).