I've noticed that several web services (namely Steam, Facebook, Google, etc) are able to detect a new browser/new location, and on some cases, require me to validate it with an emailed code.
How do they do that? Do they use a cookie? Some other way? How reliable is that?
How can I detect if a user is logging in from his "normal" environment, be it same browser, same computer, same approximate location?
Here are some ideas you may be interested in...
As I already said to you it's not an exact science. You should keep what's important for security first and consider all this "optional"
Plus, remember that all suggested "time durations" are subjective depending on how frenetic are accessess to your site and how strong should be the detection of devices.
These are the factors that may help to identify devices:
Firstly, access token cookie
may be not necessarily different from device id cookie
, in fact, an access token could be used to uniquely identify a browser, even if the token string is frequently updated this way: 1 session = 1 device.
Instead, if you want to consider the same device two or more browsers, you should use of course two different cookies. 1 device = 1 session on chrome + 1 session on firefox, etc.
Secondly, the cookie(s) should "never" expire (set it to lot expire in years). If you want to expire the "remember-me" duration, you should do it in your code only. This, because a cookie that "never" expires and that is actually associated to an expired session it's still useful for to identify the device the user is using! Also when the user logs out, don't delete the cookie(s), destroy the session internally, in your code.
Every time user changes the IP to one that you consider valid, you should log it. This means that you need a table for logging all the IPs sessionID | IP | lastActionDateTime | [other factors]+
. If a row containing the combination of deviceID & IP already exists, and if the lastActionDateTime
was made for example within 12-24 hours, you will update lastActionDT
, otherwise you should create a new row. That, unless the other factors are changed.
Using a GEOIP database you get the user's location: that's not even close to be reliable, but you can use Google Maps API to check the distance between the last known location and the new one associated to the IP, or if the GEOIP database already gives you LAT, LONG values you can simply calculate the distance between the two points ( more infos here, but many articles are available on the web ... I didn't actually checked it, but it should be fine). So, let's say that you may consider valid a IP that is 100-500km away from the last known location.
With 3G IP may change even walking some steps, so if you reiceve a page-view with some different IP, and some recent previous page-view was made with the same IP, you must consider that IP valid, because it was valid just some minutes before (lastActionDT
), of course accordingly to the state of other factors, which should be identical to the last known ones.
If you detect a changed IP after some hours or possibly days of inactivity you may want to consider it valid and allow the login, especially if other factors match, or if you want stronger security, you can treat this case as the following:
If you detect a changed IP after a lot of days of inactivity you should request to login again with the form. Here the session is expired, but the cookie is still there and usable, so if the form credentials are valid, you will renew the deviceID
expiration instead of creating a new deviceID
.
The UA string provides some more additional checks but not necessarily relevant the majority of time, but useful for detecting suspicious versioning changes (for example what would you think if the same session generated first a Chrome 27.0 pageview and some time later a Chrome 26.0 pageview?).
So, this is highly unreliable, but as you can imagine, it provides some hints.
If you want to consider two browsers on the same computer the same "device" you could use javascript (of course since it's a client sided check, it's not trustable for security but still helpful... for example if someone steals the session cookies he may not know that he needs to fake also these values that you're going to use for additional checking :-P ). Anyway, window.screen
contains these properties that are really useful to uniquely identifying an OS/computer
window.screen.availWidth
& window.screen.availHeight
window.screen.availLeft
& window.screen.availTop
window.screen.width
& window.screen.height
...keeping in mind that values may be inverted on the fly on mobile devices (check window.screen.orientation
)
Another additional check could be made using the HTML5 Geolocation API (of course also there, since is client sided it's not trustable for security, but it's helpful if used in cooperation with the previous factors) Geolocation API Spec
Hoping to have been helpful...
Wes
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With