All,
I'm looking into ways of uniquely identifying a
computer. I've been reading around the web looking at
different mechanisms, and so far I've drawn a fuzzy
blank. Currently, I want to use SSL to let a user sign
in and then I return a session cookie, which I then
use to confirm the user is logged in when they come to
non-ssl pages.
What I wish to do is prevent another user copying the
session cookie, from one computer to another, and then
gaining access. Originally I wondered if I could get
at the mac address of the connection, but that seems
to be a dead end. After a little further reading It
seems that there is a UUID generated at the handshake?
stage of SSL, so therefore I wonder if I can use this,
e.g. map my session_id to a UUID, and then when I
check the session is valid I crosscheck this, however
I'm not sure if I can get the UUID over a non-SSL
connection.
I'm sure I'm not the first person to want to uniquely
identify a computer that comes to my site, without
blindly trusting cookies, but I'm at a loss of how to
find anything better than ipaddress to session cookie
mapping. (which is kinda pointless for Natted
addresses I know).
Does anybody have any ideas, pointers...?
Regards
Marty
___________________________________________________________ALL-NEW Yahoo!
Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
