Tracking without cookies part 2

I’ve been experimenting with the various ways of tracking a user without cookies or sessions and I came up with a unique way of doing so that I haven’t really seen documented anywhere. Using the script below you should receive a unique session id; if you then try the script in another browser it should return the same session id.

It works by getting the first digits of your IP address e.g. 192 then combines it with the first 2 digits of your remote port between the server and client, it creates a unique hash from that information. This method would only work within the same session and it would not be possible to track users across new connections.

Remote Port tracking

Remote port source code


After discussing this further on the GeekUp mailing list Alan Burlison pointed out that various configurations of servers and load balancers would complicate the remote port assignment so it wouldn’t be possible to track a user reliably using remote ports. He also provided a few links on Pipeline HTTP and various specifications of the HTTP standard which I found interesting.

9 Responses to “Tracking without cookies part 2”

  1. emanresU writes:

    Not a good idea to rely on IP address. Some people may change IP address because they use a proxy and do not send POST request through proxy (like Google Web Accelerator do) for example.

  2. Gareth Heyes writes:

    Yeah it only uses the first section of the IP address but you could change it to use the user agent or other variables.

    Still I found it interesting anyway.

  3. Richard Heyes writes:

    Ummm, not wanting to rain on your parade, but what’s wrong with cookies or the query string? Granted using the query string can prevent caching, but there are ways around that.

  4. Gareth Heyes writes:

    It was just a discussion on a mailing list about cookie-less tracking.

    You could use a query string but this could be modified quite easily by the user. It was only an experiment just to see what was possible really.

  5. iamsure writes:

    Any chance you could publish the code for this? I’m surprised at how well it produces the same hash across 3 browsers (Safari seems to do things differently), and even across two machines behind one gateway. Would be very useful for web based games to detect users trying to play multiple accounts on a single PC.

  6. Gareth Heyes writes:

    Yes no problem I shall release the source code, the code is quite simple really and would only retain the id as long as the connection is alive.

  7. Gareth Heyes writes:

    Source code uploaded.

  8. Francis writes:

    But wouldn’t ever link start a new connection? Most browsers do some sort of piplineing but they also use multiple connections.

  9. Gareth Heyes writes:

    Francis the script works with some equipment/browsers but isn’t reliable enough to use in any real world situations.

    I found it a interesting experiement and it does work quite well with some configurations but only for that session.