RE: collecting unique client (computer) specific info?
Anyone know how to capture the UUID from a request? I've been looking all over the place and cant seem to find any reference to it anywhere ... K -Original Message- From: Roger Davenport [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 02, 2003 12:55 PM To: Perrin Harkins Cc: [EMAIL PROTECTED] Subject: RE: collecting unique client (computer) specific info? Apologies.. yes, this was meant for the list!! Roger On Tue, 2003-09-02 at 14:29, Perrin Harkins wrote: Did you mean to send this to the list? It only went to me. On Tue, 2003-09-02 at 15:23, Roger Davenport wrote: The session ID only lasts a certain time.. anywhere from a couple of minutes to a couple of days (varies widely). SSLv2 is 16 bytes, and SSLv3/TLS is anywhere from 1 to 32 bytes. The session ID is essentially a value which saves the client and server from having to handshake every time. But if you get a matching value, chances are that you have the same machine if it's within a reasonable amount of time. Roger On Tue, 2003-09-02 at 13:40, Perrin Harkins wrote: On Tue, 2003-09-02 at 14:23, kfr wrote: Yes, sorry. I have a site that allows my customers to become members via monthly credit card subscription. The problem is we've been getting fraudulent credit card transactions and need some mechanism to detect a user who is a repeat offender so I can detect them trying to submit yet another bogus CC for access. Okay, that makes sense. Unfortunatey, there's no foolproof way that I'm aware of. To begin with, you can try using a cookie. This will stop anyone who is not very technical. Beyond that, I have heard that there's some kind of unique identifier in SSL that you may be able to use. I know this because the f5 big/ip load balancers used it. Check into that. - Perrin -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
RE: collecting unique client (computer) specific info? [OT]
Hi there, On Wed, 3 Sep 2003, kfr wrote: Anyone know how to capture the UUID from a request? What makes you think there'll be one in there? I've been looking all over the place and cant seem to find any reference to it anywhere ... Try Google? 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: collecting unique client (computer) specific info?
kfr wrote: Anyone know how to capture the UUID from a request? I've been looking all over the place and cant seem to find any reference to it anywhere ... You mean, you want to generate one? in mod_perl2/apr it'd be: use APR::UUID: my $uuid = APR::UUID-new-format; or from the command line (assuming that you are using the latest cvs): perl -MApache2 -MAPR -MAPR::UUID -le 'print APR::UUID-new-format' __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
RE: collecting unique client (computer) specific info?
On Wed, 2003-09-03 at 12:22, kfr wrote: Anyone know how to capture the UUID from a request? According to the mod_ssl manual, it is stored in an environment variable called SSL_SESSION_ID. - Perrin -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: collecting unique client (computer) specific info?
hi ( 03.09.03 10:42 -0700 ) Stas Bekman: You mean, you want to generate one? in mod_perl2/apr it'd be: is there an equivalent in mod_perl1? -- \js -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: collecting unique client (computer) specific info?
John Saylor wrote:
hi
( 03.09.03 10:42 -0700 ) Stas Bekman:
You mean, you want to generate one? in mod_perl2/apr it'd be:
is there an equivalent in mod_perl1?
I'm sure there are a few modules on CPAN that you can use. Again I'm talking
about generating UUD, not extracting the SSL one. Perrin has replied that you
need $ENV{SSL_SESSION_ID} for the SSL one.
__
Stas BekmanJAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide --- http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: collecting unique client (computer) specific info?
On Wed, 2003-09-03 at 15:03, John Saylor wrote: is there an equivalent in mod_perl1? Use Data::UUID from CPAN or mod_unique_id. Note that this (and the mod_perl 2 approach Stas posted) has nothing to do with identifying the actual client, which is what the original question on this thread was about. - Perrin -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
RE: collecting unique client (computer) specific info?
I'm able to see it now ... had to re-compile my server with mod_ssl (not apache-ssl) and I can see the SSL_SESSION_ID. So I take it there's no way to decrypt that and grab anything useful out of it other than it's one time uniqueness? The doc's state its a combo of a few different parameters (timestamp, hardware address, etc), which the hardware address is really what I'm after. K -Original Message- From: Perrin Harkins [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 12:28 PM To: John Saylor Cc: [EMAIL PROTECTED] Subject: Re: collecting unique client (computer) specific info? On Wed, 2003-09-03 at 15:03, John Saylor wrote: is there an equivalent in mod_perl1? Use Data::UUID from CPAN or mod_unique_id. Note that this (and the mod_perl 2 approach Stas posted) has nothing to do with identifying the actual client, which is what the original question on this thread was about. - Perrin -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
RE: collecting unique client (computer) specific info? [OT]
Hi there, On Wed, 3 Sep 2003, kfr wrote: had to re-compile my server with mod_ssl :) the hardware address is really what I'm after. What hardware? 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
RE: collecting unique client (computer) specific info? [OT] [x-adr][x-bayes]
Title: RE: collecting unique client (computer) specific info? [OT] [x-adr][x-bayes] Ged Haywood wrote: On Wed, 3 Sep 2003, kfr wrote: the hardware address is really what I'm after. What hardware? He's looking for a MAC address, cpu id, etc. something to fix the identity of the remote host. Nobody's up and told him that it just isn't possible. Which from the mod_perl books and documentation I've read... appears to be the case. -- Garrett Goebel IS Development Specialist ScriptPro Direct: 913.403.5261 5828 Reeds Road Main: 913.384.1008 Mission, KS 66202 Fax: 913.384.2180 www.scriptpro.com garrett at scriptpro dot com
RE: collecting unique client (computer) specific info? [OT] [x-adr][x-bayes]
Yep ... that's what I've discoverd: http://www.webdav.org/specs/draft-leach-uuids-guids-01.txt from section 3.5 ... I was assuming there was some way to parse and decrypt the mac address from: The following is an example of the string representation of a UUID: f81d4fae-7dec-11d0-a765-00a0c91e6bf6 the 00a0c91e6bf6 being the mac address of the computer. K -Original Message- From: Garrett Goebel [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 3:07 PM To: 'Ged Haywood'; kfr Cc: mod_perl Mailing List Subject: RE: collecting unique client (computer) specific info? [OT] [x-adr][x-bayes] Ged Haywood wrote: On Wed, 3 Sep 2003, kfr wrote: the hardware address is really what I'm after. What hardware? He's looking for a MAC address, cpu id, etc. something to fix the identity of the remote host. Nobody's up and told him that it just isn't possible. Which from the mod_perl books and documentation I've read... appears to be the case. -- Garrett Goebel IS Development Specialist ScriptPro Direct: 913.403.5261 5828 Reeds Road Main: 913.384.1008 Mission, KS 66202 Fax: 913.384.2180 www.scriptpro.com garrett at scriptpro dot com -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
RE: collecting unique client (computer) specific info? [OT][x-adr][x-bayes]
Hi there, On Wed, 3 Sep 2003, kfr wrote: http://www.webdav.org/specs/draft-leach-uuids-guids-01.txt from section 3.5 ... I was assuming there was some way to parse and decrypt the mac address from: The following is an example of the string representation of a UUID: f81d4fae-7dec-11d0-a765-00a0c91e6bf6 the 00a0c91e6bf6 being the mac address of the computer. You don't even know there is a MAC address. And if there is, it can easily be spoofed. Forget it. 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
RE: collecting unique client (computer) specific info?
Yes, sorry. I have a site that allows my customers to become members via monthly credit card subscription. The problem is we've been getting fraudulent credit card transactions and need some mechanism to detect a user who is a repeat offender so I can detect them trying to submit yet another bogus CC for access. The only way that I'm aware of to do that is to grab something specific to that piece of hardware or computer. Does that make sense? ... impossible? ... or is there a better way? K -Original Message- From: Perrin Harkins [mailto:[EMAIL PROTECTED] Sent: Monday, September 01, 2003 10:35 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: collecting unique client (computer) specific info? On Tue, 2003-09-02 at 13:24, kfr wrote: Any one out there know of some way, either from java or SLL or some other combination, to collect any kind of machine specific information from a web client logging into a site with SSL (Apache/mod_perl mod_ssl)? I need to find some way to uniquely identify a 'machine', like possible grabbing it's mac address would be ideal but obviously that can't be done ... Any clues? Perhaps you could explain what you're trying to do? - Perrin -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
RE: collecting unique client (computer) specific info?
On Tue, 2003-09-02 at 14:23, kfr wrote: Yes, sorry. I have a site that allows my customers to become members via monthly credit card subscription. The problem is we've been getting fraudulent credit card transactions and need some mechanism to detect a user who is a repeat offender so I can detect them trying to submit yet another bogus CC for access. Okay, that makes sense. Unfortunatey, there's no foolproof way that I'm aware of. To begin with, you can try using a cookie. This will stop anyone who is not very technical. Beyond that, I have heard that there's some kind of unique identifier in SSL that you may be able to use. I know this because the f5 big/ip load balancers used it. Check into that. - Perrin -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
Re: collecting unique client (computer) specific info?
On Tue, 2003-09-02 at 13:24, kfr wrote: Any one out there know of some way, either from java or SLL or some other combination, to collect any kind of machine specific information from a web client logging into a site with SSL (Apache/mod_perl mod_ssl)? I need to find some way to uniquely identify a 'machine', like possible grabbing it's mac address would be ideal but obviously that can't be done ... Any clues? Perhaps you could explain what you're trying to do? - Perrin -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
