El Noguer

Joaquim Perez i Noguer

5 maneres d’identificar usuaris web sense utilitzar Cookies

Filed under: General — Joaquim Perez Noguer at 7:08 am on Diumenge, Novembre 1, 2015

Origen: 5 Ways To Identify Your Users Without Using Cookies

1.  Using the user’s IP

Using an IP address is the most obvious solution of all. It is simple and fast, however it is also the least effective. The main problem with the using the IP is that the vast majority of users use dynamic IP, meaning a user’s IP address today may not be the same one tomorrow. Also, if multiple users connect to the same network, everyone will have the same IP and they will all be indistinguishable to the server.

2. LocalStorage

A new feature of HTML5 is LocalStorage. We can conceptualize it as BIG cookies that can store a lot more data. However, unlike cookies LocalStorage accesses only the javascript (the server cannot create or read the files), so we need to set up a way of communicating the user identification data to the server (eg an AJAX request).

Unfortunately, clearing the LocalStorage is also relatively easy for any user concerned about their privacy and incognito mode browsers still make the user undetectable.

3.  Canvas Fingerprinting

This method, which may seem a little far-fetched, is widely used today by major ad networks and websites. The operation is based on the HTML5 canvas element that allows you to paint with javascript.

What happens is a particular pattern of geometries and text is hidden in an area of ​​each page. Due to the particularities of browsers, operating systems and, above all, graphic cards users, the resulting image on two separate computers can be made distinct (although the instructions for generating it are the same).

This image is a fingerprint unique from any other computer. If we pass on a hash created with this image in every request, we can identify requests made from the same computer without storing anything on the user.

4.  User Behavior

The above method still has a problem: it can be detected. Advanced privacy tools (like Tor browsers) are able to detect when you are painting in a “suspect” canvas and will send a notification to the user.

The following method is probably the most complex of all and is only available to some technology giants like Google that have the resources to pull it off. However, if implemented correctly, this new methodology can detect if a user accessed your site from another computer!

The technique is to record the behavior of the user (mouse movements, acceleration, the use of the scroll, etc.) and transmit that information to the server. The user behavior is very personal and can be detected by grouping Machine Learning algorithms.

5.  Using the ETAG

Finally, a balance between simplicity and efficiency – this is my favorite method. First of all, let’s explain how the cache works on modern servers.

When a user requests file A for the first time, the server then serves up the ETAG file along with a code that is a signature of the file contents. When the user wants to order the file a second time, the browser (which has the file and the cached ETAG) sends to the server with the ETAG. If the file has not changed, the server that has the ETAG is the same one that was sent by the client and the server, instead of sending the file a second time, tells the browser to use the version that is cached. If the file has changed, the server would send the customer the new version with the new ETAG. Simple, right?


No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>