Identify client by unique ID

Question

What is the best way to identify a client within PHP?

Obviously an IP-address wouldn't be safe nor would it distinguish multiple clients coming from the same IP-address.

I don't want to use sessions.

Answer 1

I really like smassey's suggestion (above) of FingerPrinting. Our issue is making it so we lockout people who enter the wrong credentials N times and not lockout anyone else. We need to know something from the client workstation that we can rely upon that tells us something unique. IP address works if there is no HTTP proxy. Proxies confuse this. We are not looking for a user's real name or anything private but keeping bad guys/gals locked out. The nice thing is that it does it without sessions, without cookies and works even if they change browsers. Not sure what parameters we will use but I will be looking in PHP to see what is available. I wonder if total space on primary local storage is available. Mac and Linux compatibility is a must nowadays.

Answer 2

Other than cookies / sessions (based on unique id'd cookies) your only choice is called 'fingerprinting'. The idea is to make browser fingerprints out of multiple small details known about the client. A very simple example is:

$unique_id = md5( $client_ip . $client_user_agent );

This can become more accurate than most would imagine when you combine details such as: java vm version, flash version, installed fonts, ... all available information when you have access to the content page itself. Of course breaking the fingerprint becomes as easy as updating to a new flash player but for short lived cookie-less sessions, fingerprints do the trick.

Answer 3

Thanks God, there is NO unique id to track our browsers. So, you have to limit your desire for identification to mere cookies.