Reputation: 1888
Identity Information over HTTP?
If a person clears their cookies and changes their IP address, is there ANY way for a website to identify that computer as a computer that has "been here before"? In other words, no identifiable information like MAC can ever be known over HTTP, right? (I've looked through the list of headers and only see cookies and user-agent).
Also - same goes for a mobile device. If the mobile clears cookies, is there any way to identify it as a repeat visitor?
Thanks!
Chad
Upvotes: 0
Views: 184
Answers (5)
Reputation: 5421
If there were a (toggle-able) program available that would intercept the requests for the font-list at the O/S level, and return a bogus list, resembling a machine's list right after the O/S has been installed -- and perhaps the list could be modified slightly each time by including or excluding some randomly chosen font not from the basic list-- then a huge percentage of the identifying bits could be removed from your browser's "fingerprint", and you're no longer uniquely identified but blend in better with the herd or the flock.
Upvotes: 0
Reputation: 48387
As others have said, no, there's nothing you can do for normal browser access.
For mobile devices (at least via WAP) there is an extra CGI parameter (the name of which escapes me) which the gateway is suposed to populate with an identifier which is unique to that mobile devices phone number - however implementations vary.
C.
Upvotes: 0
Reputation: 51062
If you look at a site such as browserspy, you will see that a website can find out quite a bit more from a browser then the stuff you see just by looking at your request headers. And security researchers have done some investigation of the idea of uniquely identifying a browser based on those characteristics (e.g. what plugins you have installed, what fonts you have installed, etc.). But nothing like this is truly reliable (for one thing, much of this will change simply by switching to a different browser on the same computer). There is certainly no "official" unique identifier such as a MAC address.
Upvotes: 1
Reputation: 45408
There are other ways to identify individual users without cookies -- based on a variety of information leaked by the browser and associated plugins. Check out Panopticlick for an example. It's probably not as effective with mobile browsers because (as far as I know) they don't have plugins like desktop browsers.
Upvotes: 1
Reputation: 14233
Not at the application level. As you correctly determined, the user can change everything that is sent in an HTTP request.
As for the MAC address, the MAC address is used in the link level of the internet protocol. It is not transmitted along multiple hops when making any sort of internet communication, thus unless you are 1 hop away from the client, you cannot use this information either.
Bottom line, can't really be done. If someone really wants to be forgotten, then they will be forgotten.
Upvotes: 1
Related Questions
- Does HTTP protocol facilitate for specification of URI(s) associated with an authentication realm?
- Send data in an HTTP header and get it back
- Can I pass custom data in the HTTP header?
- The use of HTTP headers
- Securing http headers
- HTTP Response Header to identify actual server that responded to request
- Use of custom header fields in HTTP
- Headers for security
- Can the HTTP response header Authorization be managed from the server?
- Is there a default http request header to identify the user making a request?