Uniquely Identify a Machine

[Kirsle]

I was wondering if anybody knows how to uniquely identify a user's machine? I know it's possible to do, because I've seen other sites do it, but am not sure exactly how to do it.

Case in point:

Chase.com (JP Morgan Chase Bank), if you make an account to do your banking online, and sign in using a computer in which you haven't signed in before, it needs you to verify the login, by sending you an activation code by e-mail or text message. Once you activate once on that machine, you can log in at any later time and not be prompted again for activation... but then if you log on from a different machine, you need to reactivate on that particular machine.

At my college, most of the computers are pretty much identical... they all have the same hardware in them. If I sign in to Chase.com on one computer, it asks me to do the activation, and then if I sign in on another computer (using the same web browser and everything), it asks me again to activate.

How does a CGI script find out enough unique information about a computer? It can't be going by the IP address, because in my school's network, we all have the same external IP. Do they just use persistent cookies, or is there some other way?

Thanks in advance.

-------------
Cuvou.com | The NEW Kirsle.net

 

[KevinADC]

dump the cookies from a pc that has been activated and see what happens. My guess is it's done with cookies.

------------------------------------------
- Kevin, perl coder unexceptional!

 

[Kirsle]

After I posted, I opened Internet Explorer 6 (ies 4 linux), and logged in to chase.com there and it asked me for the activation code...

On Firefox (the browser I usually use), I entered this address from the chase website:

javascript:alert(document.cookie);

It gave me a list of all the cookies. To test it, I went and cleared all my cookies, so that "document.cookie" returned blank. I logged in again (through Firefox), and it did not ask for activation again. So, it seems that even by clearing the cookies, Chase doesn't forget about my "unique machine" when I use Firefox again.

I imagine the same would apply on IE if I would've done the activation thing, cleared my cookies, and then went back and logged in again.

So, cookies might be part of it, but I don't think it relies solely on cookies. It can't rely on IP address and user-agent, though, because the same browser from the same network, but on a different computer, needs to reactivate.

-------------
Cuvou.com | The NEW Kirsle.net

 

[Kirsle]

A Google search just returned this article:

http://www.cgisecurity.com/2007/04/10

I guess it takes a lot of use of either HTTP headers or JavaScript to collect a bunch of information, but their example about that bank site sounds a lot like how Chase is doing it.

-------------
Cuvou.com | The NEW Kirsle.net

 

[KevinADC]

They could be using some rather elaborate combination of information but I really doubt they are using the CSS hack, that is not even possible with some browsers and is something I serioulsy doubt a bank would rely on. You could see if they were because it requires javascript to work.

------------------------------------------
- Kevin, perl coder unexceptional!