Unique Identification

[knightcon]

I am looking for a way to uniquely identify users of an extranet application i'm writing. It can't be based of the IP address because now days that changes more often than most people change their pants, it can't be a cookie because it needs to be persistent and cant be removed without running the terminal removal process. I was thinking something unique to the hardware of the PC and that wouldn't change. Before any of the privacy fans out there start abusing me as has been done in the past saying that I shouldn't be doing this, please take note that the browsers that are accessing the extranet application are company owned as are the computers and access should be restricted to authorised users. They need to be able to login once to a computer which they will always use and set persistent connection. Does anyone have any ideas.

[mwookie]

Hardware "fingerprints" are pretty common with desktop software. How are you planning on getting the information? You would have to have and ActiveX or other plugin to reach outside the "browser barrier". I am curioius to hear what you come up with because I have tried (unsuccesffully) to setup a similar system.


_________________________
"Insanity is hereditary - you get it from your children." Sam Levenson
Web Development Company – Projects (Electronics Stock Photos for $1– Compare Microstock agencies (Dreamstime, LuckyOliver & More))

[ess]

If you are sure that all of your users are only using IE, then ActiveX is a good solution in this case.

However, I would personally use Java with signed applets for extra security so that users are not restricted to using one technology only.

[firepages]

Quote:

access should be restricted to authorised users.

users or computers ? what if Dave uses Sue's computer ? (he does that a lot I hear ) perhaps look at authentication against active directory/LDAP etc , in other words use the local network authentication rather than your own or a third party method.

That way should you ever need to track down a user to a computer you can do that via the LDAP logs etc.

[ess]

Quote:

Originally Posted by firepages

users or computers ? what if Dave uses Sue's computer ? (he does that a lot I hear ) perhaps look at authentication against active directory/LDAP etc , in other words use the local network authentication rather than your own or a third party method.

That way should you ever need to track down a user to a computer you can do that via the LDAP logs etc.

Very interesting observation there. What if the website is hosted on a system that does not support Active Directory?

[firepages]

Quote:

Originally Posted by ess

Very interesting observation there. What if the website is hosted on a system that does not support Active Directory?

I am assuming that there is some authentication already required to access the network whether that be a domain controller or simple NTLM/workgroup authentication, and if so then it may make sense to make use of that.

If not then you still have the issue that mac addresses are not reliable because 1) they can be faked & 2) Dave and Sue as noted above.

Edit: and 3) the initial problem of getting the mac address in the first place

[meth]

Dave and Sue; always a problem. Have you come across SSL-Explorer before?

[ess]

Good reference there meth.

[knightcon]

Thanks, guy's, those are all good suggestions. To address all concerns about Dave and Sue, access to the web portal isn't being made by the same users at the same computers, this type of software is being accessed by a variety of users on computers which are locked up when not in use. The point of this program is to allow certain terminals access to the web portal without requiring user-based authentication. Sorry if I didn't make that one clear before. What I was thinking I could do was use a signed Java applet to detect the computers MAC address and use that but I was wanting to know if there is a better solution. Not all the computers will be running IE, some of them will be running firefox as well so ActiveX's are out of the question.