Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to anonymously identify a user and store that information

I need a simple user identification system for the purpose of allowing/prohibiting an action.

This is not a high-security requirement and it is ok to make mistakes (eg same user will execute non-allowed action using different browsers).

To be less abstract, let's see at the StackOverflow voting and assume we want to allow voting by public audience, but only once.

The simplest thing that can work - is using a cookie: set a new cookie per answer; store all votes in one cookie (or combine these somehow).

This is a bit unreliable due to the limitations of a cookie size/number. It will also sent the cookie to the site all the time, while it is only required on 1 action.

So from this perspective I would like to avoid using cookie.
But don't see a better of doing this over a regular HTTP. I don't consider IP/MAC address etc.

So, with the context above, the questions is: how to anonymously identify a user and store that information on the client?

Thanks.

like image 248
Dmytrii Nagirniak Avatar asked Dec 14 '10 23:12

Dmytrii Nagirniak


People also ask

How do I find an anonymous user?

You can identify anonymous website visitors by using website visitor identification software that translates their IP address to a company name. Once you know who is looking at your website, you can proactively contact them and turn them into leads.

How do I identify a user?

User identification (user ID) is a logical entity used to identify a user on a software, system, website or within any generic IT environment. It is used within any IT enabled system to identify and distinguish between the users who access or use it. A user ID may also be termed as username or user identifier.

When a user is anonymous?

What is an Anonymous User? Anonymous User is any user who accesses network resources without providing a username or password. Some Microsoft Windows Server applications like Microsoft Internet Information Services (IIS) can be configured to allow anonymous users to access their resources.

What is anonymous user in Oracle?

Anonymous user authentication enables users to log in to SGD without using a user name and password. As users are anonymous, SGD assigns each anonymous user a temporary user identity. The user identity is only effective while the user is logged in. Anonymous user authentication is disabled by default.


2 Answers

Anonymous user identification can certainly be done (and is being done) with a fairly high degree of accuracy. Rather than reprint the methodology here's a bit of reading that will lay it all out.

First is an old bit by the EFF regarding the mathmatics of user privacy (specifically the entropy behind your data) on the internet. Certainly optional, but it expresses the model that we're looking at. You can skip this if the math behind identification doesn't interest you.

http://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy

Basically taken in a nutshell: using just the browser-agent, IP address and other data published in one of their examples (panopticlick) http://panopticlick.eff.org/ you have a very high likelihood of uniquely identifying a user (as long as it is the same machine) without the need for cookies. Additional information regarding their research into browser detection and uniqueness is available here:

http://panopticlick.eff.org/browser-uniqueness.pdf

Visit the panopticlick page and give it a test. It will show you what to look for (and give examples and source of how to go about it) while the .pdf will detail the uniqueness and specifics of the fingerprinting method.

My system configuration, for example, is unique among the 1,301,578 total tested with 20.38 bits of identifying information (reduction of entropy). Given their research, you will have an accuracy of 94.2% and 99.1% in identifying users between visits without the use of any client side tracking.

like image 115
iivel Avatar answered Sep 21 '22 05:09

iivel


Store a small unique identifier on the client side as a cookie, then use that identifier to look up whatever related session data you need on your server's side.

like image 31
Matt Huggins Avatar answered Sep 22 '22 05:09

Matt Huggins