Tracking without cookies part 2

Wednesday, 11 July 2007

I’ve been experimenting with the various ways of tracking a user without cookies or sessions and I came up with a unique way of doing so that I haven’t really seen documented anywhere. Using the script below you should receive a unique session id; if you then try the script in another browser it should return the same session id.

It works by getting the first digits of your IP address e.g. 192 then combines it with the first 2 digits of your remote port between the server and client, it creates a unique hash from that information. This method would only work within the same session and it would not be possible to track users across new connections.

Remote Port tracking

Remote port source code

Update…

After discussing this further on the GeekUp mailing list Alan Burlison pointed out that various configurations of servers and load balancers would complicate the remote port assignment so it wouldn’t be possible to track a user reliably using remote ports. He also provided a few links on Pipeline HTTP and various specifications of the HTTP standard which I found interesting.

http://tools.ietf.org/html/rfc2616
http://en.wikipedia.org/wiki/Pipelined_HTTP
http://en.wikipedia.org/wiki/HTTP_persistent_connection
http://httpd.apache.org/docs/2.2/mod/core.html#keepalive
http://www.mozilla.org/projects/netlib/http/pipelining-faq.html
http://egonitron.com/2007/05/25/the-truth-about-the-firefox-pipelining-trick/

The entry 'Tracking without cookies part 2' was posted on July 11th, 2007 at 10:30 am and last modified on July 12th, 2007 at 1:07 pm, and is filed under javascript, php, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

9 Responses to “Tracking without cookies part 2”

  1. emanresU writes:
    No. 1 — July 11th, 2007 at 10:58 am

    Not a good idea to rely on IP address. Some people may change IP address because they use a proxy and do not send POST request through proxy (like Google Web Accelerator do) for example.

  2. Gareth Heyes writes:
    No. 2 — July 11th, 2007 at 11:06 am

    Yeah it only uses the first section of the IP address but you could change it to use the user agent or other variables.

    Still I found it interesting anyway.

  3. Richard Heyes writes:
    No. 3 — July 11th, 2007 at 11:34 am

    Ummm, not wanting to rain on your parade, but what’s wrong with cookies or the query string? Granted using the query string can prevent caching, but there are ways around that.

  4. Gareth Heyes writes:
    No. 4 — July 11th, 2007 at 12:28 pm

    It was just a discussion on a mailing list about cookie-less tracking.

    You could use a query string but this could be modified quite easily by the user. It was only an experiment just to see what was possible really.

  5. iamsure writes:
    No. 5 — July 11th, 2007 at 11:24 pm

    Any chance you could publish the code for this? I’m surprised at how well it produces the same hash across 3 browsers (Safari seems to do things differently), and even across two machines behind one gateway. Would be very useful for web based games to detect users trying to play multiple accounts on a single PC.

  6. Gareth Heyes writes:
    No. 6 — July 12th, 2007 at 1:03 pm

    Yes no problem I shall release the source code, the code is quite simple really and would only retain the id as long as the connection is alive.

  7. Gareth Heyes writes:
    No. 7 — July 12th, 2007 at 1:08 pm

    Source code uploaded.

  8. Francis writes:
    No. 8 — July 26th, 2007 at 2:08 pm

    But wouldn’t ever link start a new connection? Most browsers do some sort of piplineing but they also use multiple connections.

  9. Gareth Heyes writes:
    No. 9 — July 26th, 2007 at 2:19 pm

    Francis the script works with some equipment/browsers but isn’t reliable enough to use in any real world situations.

    I found it a interesting experiement and it does work quite well with some configurations but only for that session.

«
»