Ways to create a unique user fingerprint in PHP

Question

What is the best way to generate a 'fingerprint' of user unique-ness in PHP?

For example:

1. I could use a user's IP address as the 'fingerprint', however, there could be multiple other users on the same IP
2. I could use the user's IP + user agent as the 'fingerprint', however, a single user could simply swap from safari to firefox and again be seen as being unique

Ideally, the fingerprint so label the 'machine' rather than browser or 'ip' but I can't think of how this is achievable.

Open to ideas/suggestions of how you uniquely identify your users, and what advantages/disadvantages your method has.

Answer 1

Easiest and best way: use phps session-management - every client is given an ID, stored in a cookie (if enabled) or given as a get-variable on every link and form (alternatively you could set a cookie on your own). But, this only "fingerprints" the browser - if the user changes his browser, deletes his cookies or whatever, you can't identify it anymore.

Identifying every client by IP address is usually a bad idea and won't work. Clients that use the same router will have the same IP addresses - clients connected through a proxy-pool could have another IP address with every page load.

If you need a solution that can't be manipulated by the client in an easy way, try to do a combination of the following, using all that are supported by the clients browser and compare them on each page-load:

• "normal" HTTP Cookies
• Local Shared Objects (Flash Cookies)
• Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
• Storing cookies in and reading out Web History
• Storing cookies in HTTP ETags
• Internet Explorer userData storage
• HTML5 Session Storage
• HTML5 Local Storage
• HTML5 Global Storage
• HTML5 Database Storage via SQLite

There's a solution called evercookie that implements all of this.