| 4:05 am on Aug 6, 2004 (gmt 0)|
To my knowledge you can't access any of that. And if we could, how safe would it be for a website to rip my serial numbers from me and use them for their usage?
| 4:40 am on Aug 6, 2004 (gmt 0)|
Are you absolutely positive about this?
When PIIIs were introduced there was the issue of CPU SN#s being discussed and the right to privacy. From what I recall there is a way for the user to switch off the SN# from going out, but have you or do you even know how to switch it off?
I'm not sure what the security issue is that you refer to in your post, but I'm not debating the moral issue and it up to you if you leave it switched on. All I want to know is how to access the CPU or machine SN#.
| 6:15 am on Aug 6, 2004 (gmt 0)|
Intel dropped the Pentium PSN serial numbers back in 2000 - even if you could get the info from certain CPUs (which I seriously doubt, at least without some hacky ActiveX), using it would be of limited value.
A better idea to track users would be cookies. A couple of things to bear in mind:
1 - You'll need to create a compact P3P policy to make sure that IE6 will accept the cookie at default settings.
2 - Not all users will allow those cookies - i.e. it's not foolproof.
| 9:24 am on Aug 6, 2004 (gmt 0)|
There's no way to access any kind of unique identification for a PC from a web script, and for a lot of obvious reasons there never will be. At least not without some major legislation.
When you see a programmer talking about a script that identifies "Computer IDs" or "Computer Names" they're really just using cookies as suggested above.
| 2:26 pm on Aug 6, 2004 (gmt 0)|
|When PIIIs were introduced there was the issue of CPU SN#s being discussed and the right to privacy. From what I recall there is a way for the user to switch off the SN# from going out, but have you or do you even know how to switch it off? |
There was a utility available to control whether or not the OS would have access to the serial number. But it's a moot point for the web- no browsers were ever modified to read the serial number, and only Pentium III and Pentium III Xeons had serials.
| 4:06 pm on Aug 6, 2004 (gmt 0)|
Okay, so I was dreaming.
Maybe someone has a better idea on how to implement what I am trying to do.
It is a group blog. In an effort to make writing a blog as simple as possible I'm only requiring a username and password.
Most people play well in blogs, but there is the occassional interloper who likes to drawn attention to themselves with negative behavior.
What I'd like to be able to do is give them a time out where they can still read the post, but cannot blog for a determined length of time--like a week or two.
Since only a user name and password is used the next identification considered was the IP address. Because people are mobile with their machines I started to think about machine specific identification, which obviously is not going to work.
What is the consensus on this? IP address? Anything else?
| 4:19 pm on Aug 6, 2004 (gmt 0)|
Storyman: Unfortunately there is no 100% reliable way of preventing someone from blogging, assuming you allow anyone to sign up with a username and password.
The options are:
1 - Cookies. Fairly reliable for non-technical users, but can be manually removed.
2 - IP Address. But users may be on dynamic IPs, or simply moving around. Plus multiple users may appear on a single IP address over time.
And that's pretty much it. (Unless you go into issuing client security certificates...)
You might be best relying on cookies, and manually deleting the offending posts if they appear. Either that, or pre-moderation (i.e. each blog is approved manually before it appears).
| 4:57 pm on Aug 6, 2004 (gmt 0)|
Thanks for the feedback. It appears my initial instinct was on track with using the IP address.
From your comments it would appear that a combo of a tracking cookie and IP address would be the best way to go.
It isn't that I want to prevent someone from blogging, but only that they are civil to others and I believe that for 99% of the people a gentle reminder is sufficient.
| 5:38 pm on Aug 6, 2004 (gmt 0)|
Storyman... Don't use IP addresses unless it's an emergency (an offender posting repeatedly).
IP blocking is as easy for most users to get around as cookies are. Virtually all dial up, most DSL and some Cable ISP accounts are dynamic IP.
That means if you log off and on again you have a new IP instantly.
Additionally, someone else gets assigned the IP you were just using. If you banned that IP and the someone else tries to use your blog they will be blocked.
The chances of this happening might seem slim but consider that AOL shares a dynamic IP pool among it's customers. If you have even a handful of AOL IP addresses blocked it creates a noticeable problem.
| 6:54 pm on Aug 6, 2004 (gmt 0)|
Your comment about IP addresses is reasonable.
The only thing about cookies is how to handle those who have cookies turned off in their browser.
One possibility is to check for the ability to write cookies and if it is turned off to let the user know that to post a blog cookies must be enabled.
| 12:12 am on Aug 7, 2004 (gmt 0)|
Requiring cookies might be worth testing for a short period of time to see how much it effects your traffic.
I know that quite a few popular websites require cookies for access to member only content and they seem to get away with it.
Ultimately this is a problem that effects a lot of different kinds of websites in different ways and there's no perfect solution. Most sites settle for a membership system with email confirmation which at least slows offenders down.
| 6:38 am on Aug 7, 2004 (gmt 0)|
Has anyone heard of "Super Cookie"? There was a way to extract a unique number from the client's machine who had Windows Media Player installed on their system. I say "was" because I'm not sure if microsoft has fixed it now.
The best thing was that this number could not be changed or disabled by a user. Is there anyone who can shed more light on "Super Cookies"?
| 6:47 am on Aug 7, 2004 (gmt 0)|
How much control do you have over this blog? Is it your own software? If so then are you using a database or at least a text file to hold the account information?
If the answer to the above is yes then all you need to do is add a numeric field to your database or whatever and call it something like ReadOnly. If its value is 1 the person is in read-only mode and cannot post otherwise they can post.
| 1:41 pm on Aug 8, 2004 (gmt 0)|
>One possibility is to check for the ability to write
>cookies and if it is turned off to let the user know
>that to post a blog cookies must be enabled.
That question as well as the whole topic, is a problem that is as old as the (interactive) web. It has been solved over and over again. My advice would be to look how other people actually solved the problem (by looking at their code). For example take a look at phpBBs (GPL) [google it] implementation (uses a database), it also has partial checking of the IP to reduce the possibility of session-hijacking.
If you decide to use PHPs own session implementation ( [de3.php.net...] ), there is an option called use_trans_sid which appends the session to the url, if cookies are not available (phpBB also does this).
If you decide to roll your own, do yourself a favor and make sure you know what the following are: Session Fixation, Session Hijacking, XSS (Cross Site Scripting), CSRF (Cross Site Request Forgeries), Injection Attacks etc. [google it]
You can find good and pretty complete information on this, from Chris Shifflet [google it].
| 7:57 pm on Aug 8, 2004 (gmt 0)|
Thanks for the tip on partial checking of the IP to reduce the possibility of session-hijacking as well as the other subjects--extremly helpful.