I’ve been experimenting with the various ways of tracking a user without cookies or sessions and I came up with a unique way of doing so that I haven’t really seen documented anywhere. Using the script below you should receive a unique session id; if you then try the script in another browser it should return the same session id.
It works by getting the first digits of your IP address e.g. 192 then combines it with the first 2 digits of your remote port between the server and client, it creates a unique hash from that information. This method would only work within the same session and it would not be possible to track users across new connections.
Update…
After discussing this further on the GeekUp mailing list Alan Burlison pointed out that various configurations of servers and load balancers would complicate the remote port assignment so it wouldn’t be possible to track a user reliably using remote ports. He also provided a few links on Pipeline HTTP and various specifications of the HTTP standard which I found interesting.
http://tools.ietf.org/html/rfc2616
http://en.wikipedia.org/wiki/Pipelined_HTTP
http://en.wikipedia.org/wiki/HTTP_persistent_connection
http://httpd.apache.org/docs/2.2/mod/core.html#keepalive
http://www.mozilla.org/projects/netlib/http/pipelining-faq.html
http://egonitron.com/2007/05/25/the-truth-about-the-firefox-pipelining-trick/
Comments 9
Not a good idea to rely on IP address. Some people may change IP address because they use a proxy and do not send POST request through proxy (like Google Web Accelerator do) for example.
Posted 11 Jul 2007 at 10:58 am ¶Yeah it only uses the first section of the IP address but you could change it to use the user agent or other variables.
Still I found it interesting anyway.
Posted 11 Jul 2007 at 11:06 am ¶Ummm, not wanting to rain on your parade, but what’s wrong with cookies or the query string? Granted using the query string can prevent caching, but there are ways around that.
Posted 11 Jul 2007 at 11:34 am ¶It was just a discussion on a mailing list about cookie-less tracking.
You could use a query string but this could be modified quite easily by the user. It was only an experiment just to see what was possible really.
Posted 11 Jul 2007 at 12:28 pm ¶Any chance you could publish the code for this? I’m surprised at how well it produces the same hash across 3 browsers (Safari seems to do things differently), and even across two machines behind one gateway. Would be very useful for web based games to detect users trying to play multiple accounts on a single PC.
Posted 11 Jul 2007 at 11:24 pm ¶Yes no problem I shall release the source code, the code is quite simple really and would only retain the id as long as the connection is alive.
Posted 12 Jul 2007 at 1:03 pm ¶Source code uploaded.
Posted 12 Jul 2007 at 1:08 pm ¶But wouldn’t ever link start a new connection? Most browsers do some sort of piplineing but they also use multiple connections.
Posted 26 Jul 2007 at 2:08 pm ¶Francis the script works with some equipment/browsers but isn’t reliable enough to use in any real world situations.
I found it a interesting experiement and it does work quite well with some configurations but only for that session.
Posted 26 Jul 2007 at 2:19 pm ¶Post a Comment