Aleksandr Guidrevitch said: ... > Is it possible to uniquely identify the user by some attributes ? > The only thing I consider now is IP, but what about proxies and NATs ? > User Agent string could also be stolen via javascript. That means I tend > to make stolen session ids non-reusable.
Went through this many years ago and I assure you that there is 'no' proper heuristic for identifying that user. UserAgent fails when you have a building full of people with a standard install. IP fails with proxies - and even worse - through crappy isp's where each request appears to be chained through some different proxy. imho, you have to accept some level of insecurity. Make the walls higher. Use post, use cookies, make your session id's short lived, make heuristics for comparing temporaly close subsequent request's useragent/ip etc. Perhaps there's someone clever out there who has found a some chaotic fractal which will reveal the mac address from the combination of everything else, however besides this, I think it a no-winner. Well, good luck, Rafiq
