3

I've been searching through Internet for a suitable solution for this, but I've not been able to find a good answer. Of course, I know that there is a possibility that what I'm asking here is impossible because of the Sandbox of browsers, but maybe the experts here can light up something good!

What I'd like to

I've got a web application in which users are registered and need to log in in order to access it. However, I'd like each user to be able to use only a few devices (3, for example) so, if a new device (a 4th one) is detected, it should show a message to the user telling him to upgrade to a Pro version or unlink one of his devices, etc.

So, what I would like is to have a unique fingerprint of a user's device which would be hard to change (it has not to be impossible, but not as easy as changing the browser).

What I've found

In the Internet I've come across some solutions which take information from user's screen, browser version, SO, and browser's plugins, mixing this information and making a unique md5 hash. The problem comes when the user changes the browser.

The browser's plugins and the browser itself will change, so one of the most unique fingerprints (the plugins) will be obsolete, and it will be identified as a new device. And the same if the user installs a new plugin to the browser, for example. So: they are not a possibility.

The IP cannot be taken into account neither, as I cannot assure the client will always access the application from the same location.

Talking about letting or not a user access my application, I cannot base my identification in something that can be changed so easily.

What I've thought to

I've thought of using localStorage. If the user has not an ID in a localStorage, it's a new device. However, whenever the browser starts to go slow, everyone recommends to "clean" website data, so localStorage would be gone again. So, not the solution.

With the cookies is about the same problem as with localStorage, so not the solution neither.

What would be the solution

Taking some parameters of the computer like the depth of screen colors would be nice, but maybe mixing it with other parameters would be better.

The main problem is that I don't know which parameters could be taken (either Javascript or PHP, or both) to be "unchangeable" by the user itself or very hard to do so.

I know what I'm asking for is complicated and "utopic", but I'm not an expert and maybe someone has thought of a suitable solution for this.

Thank you all for your time and answers!

EDIT: Well, I think that the duplicated answer quite responds this question. It's not what I'd liked to, but it seems (to sum up) that the only solution is to take a group of variables and make probability matching to be able to "know" which user-device is now connected. Thanks to all of you for the answers (and the people who pointed out the duplicated question too!).

Community
  • 1
  • 1
Unapedra
  • 1,649
  • 2
  • 20
  • 33
  • 1
    Two words: you cannot. – zerkms Jul 14 '14 at 10:21
  • 1
    The most machine-dependant thing I know of is the user's IP-address, but even that can change dynamically (sometimes just by the user changing network). Check out `$_SERVER["REMOTE_ADDR"]`. If you've read a bit about HTTP-requests, you'll realize that this is a quite hard thing to achieve. – Max Jul 14 '14 at 10:22
  • I've edited the answer to include why IP cannot be the solution neither. Thanks for thinking of it, though! And thanks for your answers and time :P – Unapedra Jul 14 '14 at 10:23
  • 1
    @Max IP addresses are an implementation detail of the data transport mechanism, they were never really suitable for identification. IPv4 has long since stopped being a unique identifier for anything, and IPv6 explicitly includes provisions to *prevent* long-term identification through IPv6 addresses. – deceze Jul 14 '14 at 10:24
  • @deceze I know it's not a great solution, but it's probably more stable than browser-settings. – Max Jul 14 '14 at 10:25
  • @Max I for one share my IPv4 address with a few thousand other users. So: no. – deceze Jul 14 '14 at 10:26
  • @deceze So it's better to assume that a user uses the same browser all the time? I'm not trying to back it up, but I still find the solution to be better, really. – Max Jul 14 '14 at 10:28
  • 1
    @Max I'm saying that *neither* is a great solution. The only real 100% solution is to require the user to register and log in. – deceze Jul 14 '14 at 10:30
  • Yep, the problem is that they are already logged in. What I'm trying to do is that the user can only log in from a limited number of devices. I think that I'll have to have faith in people :P Thank you all for your answers! – Unapedra Jul 14 '14 at 10:31

0 Answers0