authentication - Unique web browser identification ID for web control panel logins in Perl

Question

Do web browsers have a unique ID that can be passed on to Perl scripts? (Like a unique serial - like products that you buy in the shop have for example)

For instance: If I install a web browser, can this web browser provide a unique identifying ID to a PHP or Perl script?

The reason I'm looking for something unique is to do the following:

1. I have a user database with user names and passwords.

2. The user names / passwords are encrypted and set as cookies to the web browsers of users so that users can log in and out into my web application. (Each web page loaded when logged-in looks at the cookies and grants access if the cookie user/pass is correct)

3. If a hacker manages to steal the encrypted user name and password cookie from a user he will be able to log in with that stolen encrypted details.

If the browsers of users all had unique IDs to pass on then I could record those IDs and match them each time a user uses his encrypted user/pass cookie. This way if the unique ID does not match (what has been recorded previously) then the user is logged out and asked to manually log in again.

In the event where the encrypted user/pass is stolen the hacker won't be able to get in with it because unique browser ID's won't match. The user/pass cookie is encrypted and the hacker cannot see the user name or password. When the unique browser recorded ID's don't match the web application will ask the user to login manually and the hacker won't be able to login manually because the user/pass he stole is encrypted.

---

Using IP addresses is a possible solution but a poor solution because many if not most ISP's assign dynamic IPs to the internet connections of their clients.

Using time is also not a good solution because I would like the users to stay logged in on the same computer for weeks at a time (if they chose so) to make it convenient.

---

Anybody have any solutions to the above scenario?

I've been searching for a way to get something unique from browsers but this does not seem possible. Is it possible or not?

Answer 1

Browsers do not have a unique ID, but a good level of fingerprinting is possible. The EFF has measured that, in the best case, information sent by browsers (including the user agent string and other HTTP headers) represent 18.1 bits of entropy, which means if you take two browsers at random, you have 1 chance in 2^18.1 (≈280,000) that they will have the same "fingerprints". They have set up a website where you can estimate the degree entropy of the information sent by your browser.

Some websites use this. My bank, for instance, stores information about the three browsers I use most often to connect to their website, and ask me additional verification questions whenever I'm not using one of those.

On the other hand, all this information is entirely spoofable: if someone is able to carry a man-in-the-middle attack and steal a cookie, they are able to steal also all the headers sent by the browser, and can reuse them to authenticate themselves on your website. The same would be true if browsers actually had unique IDs.

Your alternative, besides using a connection encrypted with SSL (https) which requires you to either pay for a signed certificate or create a self-signed one that will display a security warning to your visitors, is to adopt better practice against session highjacking.

For one thing, it is not standard to keep the username and password, even if encrypted, in the cookie. What you should do is, once a user has logged into your website, assign them a random, single use session ID which you will store in your database along with an expiration time (which you may extend every time the user interacts with your website), and this to them in a cookie.

If you want an even higher degree of protection, one option is to change the session ID every time the user sends an HTTP request. You could also store a list of IP addresses each user uses to connect to your website, or IP address masks (e.g. X.Y.*.*) if it changes too often, and have them authenticate themselves if they are connecting from an unusual place. If you do this, it is a good practice to ask them "Will you be connecting again from this place?"