Is there a way to get a client's browser and os name such that client cannot modify it?

Question

So i have to get a client's browser and os name. But the thing is that we don't want the user to be able to manipulate information about os or browser. But some websites show that there is only one way to do it that is by using request header userAgent.

Below are the links I've been through:

1. Retrieving Browser, OS and Device Type By Parsing User Agent
2. How to prevent user-agent to be changed by user
3. How do I prevent websites from detecting my OS? Which browser should I use?

so according to these we can only do it with the help of userAgent And it is not a difficult thing for a client to change it and also there is no way that we can detect that if a client has modified it. And it turns out that even mnc's like amazon and facebook rely on userAgent.

So on learning about Device fingerprint i got to know about a javascript library called FingerprintJs and it seems that they don't rely on userAgent for finding out the clients os name as i tried using it and turns out that on manipulating userAgent i got the original result. I am still trying to figure out how they exactly work for getting the os and browser name. And even if client can manipulate this too is there still a way that we can atleast make it difficult for a client to fake about browser and os ?

Answer 1

As there's no guaranteed way of knowing the user's OS/browser (since the user is able to send anything with their request), the more important question to ask may be:

Why do you want to know the user's OS/browser?

This can help us find a better answer for your actual requirements.

For example, this might help: https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent#considerations_before_using_browser_detection

Answer 2

One method I can think of, is through a custom browser extension/plugin. You may even be able to use a browser API, depending on the target browser.

You would then craft a payload, which would compute/calculate the "client signature" out-of-band, not within the browsers standard request cycles and compute a signed, self validating hash, stored as a cookie.

This would require some knowledge of the related layers involved.

You are essentially talking about device fingerprinting.

While there are a vast number of approaches, you may not really want to maintain the overhead required, as it is generally done using multiple approaches, many of which are accomplished by exploiting bugs in browsers, http protocals, network routing analysis and even the clever targeting of numerous OS bugs and or quirks.

---

A much simpler approach is to feed your user a hashed cookie, with a scheme to detect if it's been modified. That cookie, along with other authentication and verification mechanisms would be far simpler and may be enough for your purposes.

---

There are 3rd party APIs which provide such a service, if it's really mission critical.

---

Of course philosophically speaking, if weather or not should you be fingerprinting your users? Is really up to you and the expectations of your users.

---

But there you go, I hope that provides a broader view of what's involved.

Answer 3

You are not able to restrict values that are sent with a request to your server. A user will always be able to use e.g. curl to send some arbitrary headers, cookies, etc. You can make it more difficult to tamper with the values through some obscurity, but that is not making such a solution secure.

Device fingerprinting might help, but you will most probably get blocked by ad blockers as they target fingerprinting as well. Still, even if you do implement device fingerprinting and get more accurate data about the user's browser, the user still can tamper with requests and change that data.

I don't know what are your requirements, but normally, you shouldn't be that much concerned with the user's browser or OS.