Re: Apache::Session / No-Cookie-Tracking

[Issac Goldstand]

Is it a secure website?  If so, it could be using the SSL unique ID which,
if I'm not mistaken, is persistant through the SSL session (so the server
doesn't have to redo the handshake on each connect).

  Issac

- Original Message -
From: Jonathan Hilgeman [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, May 25, 2001 6:29 PM
Subject: FW: Apache::Session / No-Cookie-Tracking


 Sure - I believe in magic, depending on your definition of it. I KNOW
 there's a 4th method, because I've seen it work. There is an e-commerce
web
 site which uses an outside cart programmed in CGI (Perl?). The original
web
 site passes no identifying marks such as the session ID through the URL or
 through the form's submit button to add an item to the cart. I know,
because
 I designed and created the web site.

 However, when the visitors hit the submit button, they are taken to
another
 program/website containing their shopping basket filled with their items.
I
 have figured out that it relies somewhat on the IP address, but not
 completely, because I have tested it behind the firewall and the other
 computer behind the firewall with me does not share the same basket.

 Once I am at that screen (viewing the contents of my cart on the program),
 there are other links which contain a session ID of sorts carried via the
 URL. The thing that is driving my head crazy is how they identify the user
 in the first place to create the links with the session ID.

 I accidentally caught them during testing or something and got a variable
on
 the URL line. (I substituted the domain name - it's not really cart.com)

http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848
 E

 cartidnum seems to be:
 $IP-Address + T + Unix-TimeStamp + R + Unknown number + E

 By the way, the session only seems to active until the browser completely
 shuts down. Any ideas? If I could identify my users on another site
without
 using cookies at all, that would be fantastic!

 Jonathan

 -Original Message-
 From: Ilya Martynov [mailto:[EMAIL PROTECTED]]
 Sent: Friday, May 25, 2001 9:02 AM
 To: Jonathan Hilgeman
 Cc: '[EMAIL PROTECTED]'
 Subject: Re: Apache::Session / No-Cookie-Tracking



 JH I want to be able to track visitors without the use of cookies.
 JH I don't want to rely on IP address, because people behind proxies and
 JH firewalls seem to have the same IP address.
 JH I don't want to rely on a session ID variable being always present in
 the
 JH URL, in case the window gets closed or changed.
 JH Now, two questions:

 JH 1) Will Apache::Session provide an environment variable like
 JH HTTP_USER_AGENT that will contain an identifier that will always
 JH be consistent for that specific user, despite proxies and
 JH firewalls, and despite the changing/closing of windows?

 JH 2) If not, does anyone know of a good way to do this?

 Do you believe in magic? :)

 The only way to track visitors is either:

 1) use cookies

 2) use session ID variable in URI and/or hidden field with session ID
in forms

 3) use IPs (which is bad because it is completely broken approach)

 4) use HTTP authorization (which is not always convenient because
requires user registration)

 Apache::Session can only create persistent storage of session
 data. Each session data identified by some session ID. This ID should
 be taken from somewhere (see above).

 --
  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 | Ilya Martynov (http://martynov.org/)
|
 | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80  E4AE BE1A 53EB 323B DEE6
|
 | AGAVA Software Company (http://www.agava.com/)
|
  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Re: Apache::Session / No-Cookie-Tracking

[Ilya Martynov]

JH I want to be able to track visitors without the use of cookies.
JH I don't want to rely on IP address, because people behind proxies and
JH firewalls seem to have the same IP address. 
JH I don't want to rely on a session ID variable being always present in the
JH URL, in case the window gets closed or changed.
JH Now, two questions:

JH 1) Will Apache::Session provide an environment variable like
JH HTTP_USER_AGENT that will contain an identifier that will always
JH be consistent for that specific user, despite proxies and
JH firewalls, and despite the changing/closing of windows?

JH 2) If not, does anyone know of a good way to do this?

Do you believe in magic? :)

The only way to track visitors is either:

1) use cookies

2) use session ID variable in URI and/or hidden field with session ID
   in forms

3) use IPs (which is bad because it is completely broken approach)

4) use HTTP authorization (which is not always convenient because
   requires user registration)

Apache::Session can only create persistent storage of session
data. Each session data identified by some session ID. This ID should
be taken from somewhere (see above).

-- 
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Ilya Martynov (http://martynov.org/)|
| GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80  E4AE BE1A 53EB 323B DEE6 |
| AGAVA Software Company (http://www.agava.com/)  |
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Re: Apache::Session / No-Cookie-Tracking

[Perrin Harkins]

 Sure - I believe in magic, depending on your definition of it. I KNOW
 there's a 4th method, because I've seen it work. There is an e-commerce
web
 site which uses an outside cart programmed in CGI (Perl?). The original
web
 site passes no identifying marks such as the session ID through the URL or
 through the form's submit button to add an item to the cart. I know,
because
 I designed and created the web site.

 However, when the visitors hit the submit button, they are taken to
another
 program/website containing their shopping basket filled with their items.
I
 have figured out that it relies somewhat on the IP address, but not
 completely, because I have tested it behind the firewall and the other
 computer behind the firewall with me does not share the same basket.

 Once I am at that screen (viewing the contents of my cart on the program),
 there are other links which contain a session ID of sorts carried via the
 URL. The thing that is driving my head crazy is how they identify the user
 in the first place to create the links with the session ID.

 I accidentally caught them during testing or something and got a variable
on
 the URL line. (I substituted the domain name - it's not really cart.com)

http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848
 E

 cartidnum seems to be:
 $IP-Address + T + Unix-TimeStamp + R + Unknown number + E

 By the way, the session only seems to active until the browser completely
 shuts down. Any ideas?

Sure sounds like a cookie to me.  What makes you think it isn't one?  Or
else they just don't care who you are until you hit the shopping cart, and
then they keep your identity with URLs and hidden form fields.
- Perrin

RE: Apache::Session / No-Cookie-Tracking

[Jonathan Hilgeman]

The feeling of magic only lasts until you know how it's done, and I have
seen the light. 

What happens is that they use a per-session cookie, so it doesn't appear in
my temp folder. But, if per-session cookies are disabled, then it relies on
the IP address. I guess that is better than just one method, but I think I
may use the same method, but base the no-cookie method on both IP address
AND HTTP_USER_AGENT to try to make things more unique. 

Jonathan

-Original Message-
From: Ilya Martynov [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 9:35 AM
To: Jonathan Hilgeman
Subject: Re: Apache::Session / No-Cookie-Tracking



JH Sure - I believe in magic, depending on your definition of it. I KNOW
JH there's a 4th method, because I've seen it work. There is an e-commerce
web
JH site which uses an outside cart programmed in CGI (Perl?). The original
web
JH site passes no identifying marks such as the session ID through the URL
or
JH through the form's submit button to add an item to the cart. I know,
because
JH I designed and created the web site. 

JH [..skip..]

Interesting. If you will say me url of your web site where you are
using this outside cart probably I'll find how they do tracking.

-- 
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Ilya Martynov (http://martynov.org/)|
| GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80  E4AE BE1A 53EB 323B DEE6 |
| AGAVA Software Company (http://www.agava.com/)  |
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

RE: Apache::Session / No-Cookie-Tracking

[Joe Breeden]

use Apache::MindReader;

my $future = Apache::MindReader-new( no_mistakes = 1 );

$future-read_mind( no_info_whatsoever = 1 );

my $reliable_unknown_id = $future-track_user();

die Could not figure out user without knowing one single piece of
information about them.  Weird\n unless ( $reliable_unknown_id );

(Of course your mileage may vary)

(For entertainment purposes only)


Wink. Wink. Nudge. Nudge.

Joe Breeden

-Original Message-
From: Ilya Martynov [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 11:02 AM
To: Jonathan Hilgeman
Cc: '[EMAIL PROTECTED]'
Subject: Re: Apache::Session / No-Cookie-Tracking



JH I want to be able to track visitors without the use of cookies.
JH I don't want to rely on IP address, because people behind proxies and
JH firewalls seem to have the same IP address. 
JH I don't want to rely on a session ID variable being always present in
the
JH URL, in case the window gets closed or changed.
JH Now, two questions:

JH 1) Will Apache::Session provide an environment variable like
JH HTTP_USER_AGENT that will contain an identifier that will always
JH be consistent for that specific user, despite proxies and
JH firewalls, and despite the changing/closing of windows?

JH 2) If not, does anyone know of a good way to do this?

Do you believe in magic? :)

The only way to track visitors is either:

1) use cookies

2) use session ID variable in URI and/or hidden field with session ID
   in forms

3) use IPs (which is bad because it is completely broken approach)

4) use HTTP authorization (which is not always convenient because
   requires user registration)

Apache::Session can only create persistent storage of session
data. Each session data identified by some session ID. This ID should
be taken from somewhere (see above).

-- 
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Ilya Martynov (http://martynov.org/)|
| GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80  E4AE BE1A 53EB 323B DEE6 |
| AGAVA Software Company (http://www.agava.com/)  |
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

RE: Apache::Session / No-Cookie-Tracking

[Joe Breeden]

Seems like the site in question is using either a hidden form element or a
session cookie. I'm guessing that with the session being only valid as long
as the browser window is open a session cookie is being used. The reason you
don't see this in the Cookie directory for you particular browser is that
these cookies are stored in the memory - they are not to be save after the
browser session  is over. I hope that helps. 

Joe Breeden

--
Sent from my Outlook 2000 Wired Deskheld (www.microsoft.com)


-Original Message-
From: Jonathan Hilgeman [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 11:29 AM
To: '[EMAIL PROTECTED]'
Subject: FW: Apache::Session / No-Cookie-Tracking


Sure - I believe in magic, depending on your definition of it. I KNOW
there's a 4th method, because I've seen it work. There is an e-commerce web
site which uses an outside cart programmed in CGI (Perl?). The original web
site passes no identifying marks such as the session ID through the URL or
through the form's submit button to add an item to the cart. I know, because
I designed and created the web site. 

However, when the visitors hit the submit button, they are taken to another
program/website containing their shopping basket filled with their items. I
have figured out that it relies somewhat on the IP address, but not
completely, because I have tested it behind the firewall and the other
computer behind the firewall with me does not share the same basket. 

Once I am at that screen (viewing the contents of my cart on the program),
there are other links which contain a session ID of sorts carried via the
URL. The thing that is driving my head crazy is how they identify the user
in the first place to create the links with the session ID.

I accidentally caught them during testing or something and got a variable on
the URL line. (I substituted the domain name - it's not really cart.com)
http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T990806951R5848
E

cartidnum seems to be:
$IP-Address + T + Unix-TimeStamp + R + Unknown number + E

By the way, the session only seems to active until the browser completely
shuts down. Any ideas? If I could identify my users on another site without
using cookies at all, that would be fantastic!

Jonathan

-Original Message-
From: Ilya Martynov [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 9:02 AM
To: Jonathan Hilgeman
Cc: '[EMAIL PROTECTED]'
Subject: Re: Apache::Session / No-Cookie-Tracking



JH I want to be able to track visitors without the use of cookies.
JH I don't want to rely on IP address, because people behind proxies and
JH firewalls seem to have the same IP address. 
JH I don't want to rely on a session ID variable being always present in
the
JH URL, in case the window gets closed or changed.
JH Now, two questions:

JH 1) Will Apache::Session provide an environment variable like
JH HTTP_USER_AGENT that will contain an identifier that will always
JH be consistent for that specific user, despite proxies and
JH firewalls, and despite the changing/closing of windows?

JH 2) If not, does anyone know of a good way to do this?

Do you believe in magic? :)

The only way to track visitors is either:

1) use cookies

2) use session ID variable in URI and/or hidden field with session ID
   in forms

3) use IPs (which is bad because it is completely broken approach)

4) use HTTP authorization (which is not always convenient because
   requires user registration)

Apache::Session can only create persistent storage of session
data. Each session data identified by some session ID. This ID should
be taken from somewhere (see above).

-- 
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Ilya Martynov (http://martynov.org/)|
| GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80  E4AE BE1A 53EB 323B DEE6 |
| AGAVA Software Company (http://www.agava.com/)  |
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

RE: Apache::Session / No-Cookie-Tracking

[Joe Breeden]

You may also want to store a hidden field in every form with a sesionid that
is generated by you. Depending on how unique the number needs to be, we use
either the number generated by mod_unique_id - potentially less reliable -
(a part of the standard apache dist) or generate one with MD5 - generally
more reliable. 

Joe

-Original Message-
From: Jonathan Hilgeman [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 11:51 AM
To: 'Ilya Martynov'
Cc: '[EMAIL PROTECTED]'
Subject: RE: Apache::Session / No-Cookie-Tracking


The feeling of magic only lasts until you know how it's done, and I have
seen the light. 

What happens is that they use a per-session cookie, so it doesn't appear in
my temp folder. But, if per-session cookies are disabled, then it relies on
the IP address. I guess that is better than just one method, but I think I
may use the same method, but base the no-cookie method on both IP address
AND HTTP_USER_AGENT to try to make things more unique. 

Jonathan

-Original Message-
From: Ilya Martynov [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 9:35 AM
To: Jonathan Hilgeman
Subject: Re: Apache::Session / No-Cookie-Tracking



JH Sure - I believe in magic, depending on your definition of it. I KNOW
JH there's a 4th method, because I've seen it work. There is an e-commerce
web
JH site which uses an outside cart programmed in CGI (Perl?). The original
web
JH site passes no identifying marks such as the session ID through the URL
or
JH through the form's submit button to add an item to the cart. I know,
because
JH I designed and created the web site. 

JH [..skip..]

Interesting. If you will say me url of your web site where you are
using this outside cart probably I'll find how they do tracking.

-- 
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Ilya Martynov (http://martynov.org/)|
| GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80  E4AE BE1A 53EB 323B DEE6 |
| AGAVA Software Company (http://www.agava.com/)  |
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

RE: Apache::Session / No-Cookie-Tracking

[Alex Porras]

One easy way to find out if the original site uses cookies is by using lynx
with the mime_header argument:

lynx -mime_header http://e-commerce-site-in-question/foo/bar | less

This will print out the HTTP headers before the content, like show below:

HTTP/1.1 200 OK
Date: Fri, 25 May 2001 18:04:32 GMT
Server: Apache/1.3.12 (Unix)
Expires: Thu, 24 May 2001 18:04:33 GMT
Pragma: no-cache
Set-Cookie: FOO=BAR; domain=e-commerce-site-in-question; path=/cgi-bin
Connection: close
Content-Type: text/html


HTML
HEAD
---snip---

If that Set-Cookie header is there, the script uses cookies.  The
-mime_header argument may vary by version of lynx (i think). Check the man
page if the syntax above doesn't work.  

Alternatively, you can telnet to port 80 of the website and do a GET
/path/to/script. Just make sure you have lots of scrollback if the page has
lots of content. =P

P.S. I'm pretty sure Explorer 5.x does NOT store session cookies on disk,
but other browsers may.

--Alex


 -Original Message-
 From: Joe Breeden 
 Sent: Friday, May 25, 2001 12:55 PM
 To: '[EMAIL PROTECTED]'
 Subject: RE: Apache::Session / No-Cookie-Tracking
 
 
 Seems like the site in question is using either a hidden form 
 element or a
 session cookie. I'm guessing that with the session being only 
 valid as long
 as the browser window is open a session cookie is being used. 
 The reason you
 don't see this in the Cookie directory for you particular 
 browser is that
 these cookies are stored in the memory - they are not to be 
 save after the
 browser session  is over. I hope that helps. 
 
 Joe Breeden
 
 --
 Sent from my Outlook 2000 Wired Deskheld (www.microsoft.com)
 
 
 -Original Message-
 From: Jonathan Hilgeman [mailto:[EMAIL PROTECTED]]
 Sent: Friday, May 25, 2001 11:29 AM
 To: '[EMAIL PROTECTED]'
 Subject: FW: Apache::Session / No-Cookie-Tracking
 
 
 Sure - I believe in magic, depending on your definition of it. I KNOW
 there's a 4th method, because I've seen it work. There is an 
 e-commerce web
 site which uses an outside cart programmed in CGI (Perl?). 
 The original web
 site passes no identifying marks such as the session ID 
 through the URL or
 through the form's submit button to add an item to the cart. 
 I know, because
 I designed and created the web site. 
 
 However, when the visitors hit the submit button, they are 
 taken to another
 program/website containing their shopping basket filled with 
 their items. I
 have figured out that it relies somewhat on the IP address, but not
 completely, because I have tested it behind the firewall and the other
 computer behind the firewall with me does not share the same basket. 
 
 Once I am at that screen (viewing the contents of my cart on 
 the program),
 there are other links which contain a session ID of sorts 
 carried via the
 URL. The thing that is driving my head crazy is how they 
 identify the user
 in the first place to create the links with the session ID.
 
 I accidentally caught them during testing or something and 
 got a variable on
 the URL line. (I substituted the domain name - it's not 
 really cart.com)
 http://www.cart.com/cgi-bin/cart.cgi?cartidnum=208.144.33.190T
 990806951R5848
 E
 
 cartidnum seems to be:
 $IP-Address + T + Unix-TimeStamp + R + Unknown number + E
 
 By the way, the session only seems to active until the 
 browser completely
 shuts down. Any ideas? If I could identify my users on 
 another site without
 using cookies at all, that would be fantastic!
 
 Jonathan
 
 -Original Message-
 From: Ilya Martynov [mailto:[EMAIL PROTECTED]]
 Sent: Friday, May 25, 2001 9:02 AM
 To: Jonathan Hilgeman
 Cc: '[EMAIL PROTECTED]'
 Subject: Re: Apache::Session / No-Cookie-Tracking
 
 
 
 JH I want to be able to track visitors without the use of cookies.
 JH I don't want to rely on IP address, because people behind 
 proxies and
 JH firewalls seem to have the same IP address. 
 JH I don't want to rely on a session ID variable being 
 always present in
 the
 JH URL, in case the window gets closed or changed.
 JH Now, two questions:
 
 JH 1) Will Apache::Session provide an environment variable like
 JH HTTP_USER_AGENT that will contain an identifier that will always
 JH be consistent for that specific user, despite proxies and
 JH firewalls, and despite the changing/closing of windows?
 
 JH 2) If not, does anyone know of a good way to do this?
 
 Do you believe in magic? :)
 
 The only way to track visitors is either:
 
 1) use cookies
 
 2) use session ID variable in URI and/or hidden field with session ID
in forms
 
 3) use IPs (which is bad because it is completely broken approach)
 
 4) use HTTP authorization (which is not always convenient because
requires user registration)
 
 Apache::Session can only create persistent storage of session
 data. Each session data identified by some session ID. This ID should
 be taken from somewhere (see above