All, I'm looking into ways of uniquely identifying a computer. I've been reading around the web looking at different mechanisms, and so far I've drawn a fuzzy blank. Currently, I want to use SSL to let a user sign in and then I return a session cookie, which I then use to confirm the user is logged in when they come to non-ssl pages.
What I wish to do is prevent another user copying the session cookie, from one computer to another, and then gaining access. Originally I wondered if I could get at the mac address of the connection, but that seems to be a dead end. After a little further reading It seems that there is a UUID generated at the handshake? stage of SSL, so therefore I wonder if I can use this, e.g. map my session_id to a UUID, and then when I check the session is valid I crosscheck this, however I'm not sure if I can get the UUID over a non-SSL connection. I'm sure I'm not the first person to want to uniquely identify a computer that comes to my site, without blindly trusting cookies, but I'm at a loss of how to find anything better than ipaddress to session cookie mapping. (which is kinda pointless for Natted addresses I know). Does anybody have any ideas, pointers...? Regards Marty ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html