homepage Welcome to WebmasterWorld Guest from 54.237.98.229
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
How can the CPU (or comp) serial number be accessed?
using SN# instead of IP address for tracking
Storyman

10+ Year Member



 
Msg#: 4656 posted 3:25 am on Aug 6, 2004 (gmt 0)

I'm in the process of making a simple blogging site and would like to track users. At first the idea was to use the IP address, but since many users will log in from from different locations using laptops the idea to use a SN# that is machine specific looks more attractive.

What machine specific ID is better to use and what kind of script is needed to achieve it? Can the hard drive SN# be accessed with PHP or Javascript? What about the CPU SN#?

Any advice along these lines is appreciated.

 

bobnew32

10+ Year Member



 
Msg#: 4656 posted 4:05 am on Aug 6, 2004 (gmt 0)

To my knowledge you can't access any of that. And if we could, how safe would it be for a website to rip my serial numbers from me and use them for their usage?

Storyman

10+ Year Member



 
Msg#: 4656 posted 4:40 am on Aug 6, 2004 (gmt 0)

Bobnew32,

Are you absolutely positive about this?

When PIIIs were introduced there was the issue of CPU SN#s being discussed and the right to privacy. From what I recall there is a way for the user to switch off the SN# from going out, but have you or do you even know how to switch it off?

I'm not sure what the security issue is that you refer to in your post, but I'm not debating the moral issue and it up to you if you leave it switched on. All I want to know is how to access the CPU or machine SN#.

pete_m

10+ Year Member



 
Msg#: 4656 posted 6:15 am on Aug 6, 2004 (gmt 0)

Hi Storyman

Intel dropped the Pentium PSN serial numbers back in 2000 - even if you could get the info from certain CPUs (which I seriously doubt, at least without some hacky ActiveX), using it would be of limited value.

A better idea to track users would be cookies. A couple of things to bear in mind:
1 - You'll need to create a compact P3P policy to make sure that IE6 will accept the cookie at default settings.
2 - Not all users will allow those cookies - i.e. it's not foolproof.

IanKelley

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4656 posted 9:24 am on Aug 6, 2004 (gmt 0)

There's no way to access any kind of unique identification for a PC from a web script, and for a lot of obvious reasons there never will be. At least not without some major legislation.

When you see a programmer talking about a script that identifies "Computer IDs" or "Computer Names" they're really just using cookies as suggested above.

jollymcfats

10+ Year Member



 
Msg#: 4656 posted 2:26 pm on Aug 6, 2004 (gmt 0)

When PIIIs were introduced there was the issue of CPU SN#s being discussed and the right to privacy. From what I recall there is a way for the user to switch off the SN# from going out, but have you or do you even know how to switch it off?

There was a utility available to control whether or not the OS would have access to the serial number. But it's a moot point for the web- no browsers were ever modified to read the serial number, and only Pentium III and Pentium III Xeons had serials.

Storyman

10+ Year Member



 
Msg#: 4656 posted 4:06 pm on Aug 6, 2004 (gmt 0)

Okay, so I was dreaming.

Maybe someone has a better idea on how to implement what I am trying to do.

It is a group blog. In an effort to make writing a blog as simple as possible I'm only requiring a username and password.

Most people play well in blogs, but there is the occassional interloper who likes to drawn attention to themselves with negative behavior.

What I'd like to be able to do is give them a time out where they can still read the post, but cannot blog for a determined length of time--like a week or two.

Since only a user name and password is used the next identification considered was the IP address. Because people are mobile with their machines I started to think about machine specific identification, which obviously is not going to work.

What is the consensus on this? IP address? Anything else?

pete_m

10+ Year Member



 
Msg#: 4656 posted 4:19 pm on Aug 6, 2004 (gmt 0)

Storyman: Unfortunately there is no 100% reliable way of preventing someone from blogging, assuming you allow anyone to sign up with a username and password.

The options are:
1 - Cookies. Fairly reliable for non-technical users, but can be manually removed.
2 - IP Address. But users may be on dynamic IPs, or simply moving around. Plus multiple users may appear on a single IP address over time.

And that's pretty much it. (Unless you go into issuing client security certificates...)

You might be best relying on cookies, and manually deleting the offending posts if they appear. Either that, or pre-moderation (i.e. each blog is approved manually before it appears).

Storyman

10+ Year Member



 
Msg#: 4656 posted 4:57 pm on Aug 6, 2004 (gmt 0)

Pete,

Thanks for the feedback. It appears my initial instinct was on track with using the IP address.

From your comments it would appear that a combo of a tracking cookie and IP address would be the best way to go.

It isn't that I want to prevent someone from blogging, but only that they are civil to others and I believe that for 99% of the people a gentle reminder is sufficient.

IanKelley

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4656 posted 5:38 pm on Aug 6, 2004 (gmt 0)

Storyman... Don't use IP addresses unless it's an emergency (an offender posting repeatedly).

IP blocking is as easy for most users to get around as cookies are. Virtually all dial up, most DSL and some Cable ISP accounts are dynamic IP.

That means if you log off and on again you have a new IP instantly.

Additionally, someone else gets assigned the IP you were just using. If you banned that IP and the someone else tries to use your blog they will be blocked.

The chances of this happening might seem slim but consider that AOL shares a dynamic IP pool among it's customers. If you have even a handful of AOL IP addresses blocked it creates a noticeable problem.

Storyman

10+ Year Member



 
Msg#: 4656 posted 6:54 pm on Aug 6, 2004 (gmt 0)

IanKelly,

Your comment about IP addresses is reasonable.

The only thing about cookies is how to handle those who have cookies turned off in their browser.

One possibility is to check for the ability to write cookies and if it is turned off to let the user know that to post a blog cookies must be enabled.

Any suggestions?

IanKelley

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4656 posted 12:12 am on Aug 7, 2004 (gmt 0)

Requiring cookies might be worth testing for a short period of time to see how much it effects your traffic.

I know that quite a few popular websites require cookies for access to member only content and they seem to get away with it.

Ultimately this is a problem that effects a lot of different kinds of websites in different ways and there's no perfect solution. Most sites settle for a membership system with email confirmation which at least slows offenders down.

crypto

10+ Year Member



 
Msg#: 4656 posted 6:38 am on Aug 7, 2004 (gmt 0)

Hey Guys,

Has anyone heard of "Super Cookie"? There was a way to extract a unique number from the client's machine who had Windows Media Player installed on their system. I say "was" because I'm not sure if microsoft has fixed it now.

The best thing was that this number could not be changed or disabled by a user. Is there anyone who can shed more light on "Super Cookies"?

GaryK

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4656 posted 6:47 am on Aug 7, 2004 (gmt 0)

How much control do you have over this blog? Is it your own software? If so then are you using a database or at least a text file to hold the account information?

If the answer to the above is yes then all you need to do is add a numeric field to your database or whatever and call it something like ReadOnly. If its value is 1 the person is in read-only mode and cannot post otherwise they can post.

ruserious

10+ Year Member



 
Msg#: 4656 posted 1:41 pm on Aug 8, 2004 (gmt 0)

>One possibility is to check for the ability to write
>cookies and if it is turned off to let the user know
>that to post a blog cookies must be enabled.
>
>Any suggestions?

That question as well as the whole topic, is a problem that is as old as the (interactive) web. It has been solved over and over again. My advice would be to look how other people actually solved the problem (by looking at their code). For example take a look at phpBBs (GPL) [google it] implementation (uses a database), it also has partial checking of the IP to reduce the possibility of session-hijacking.

If you decide to use PHPs own session implementation ( [de3.php.net...] ), there is an option called use_trans_sid which appends the session to the url, if cookies are not available (phpBB also does this).

If you decide to roll your own, do yourself a favor and make sure you know what the following are: Session Fixation, Session Hijacking, XSS (Cross Site Scripting), CSRF (Cross Site Request Forgeries), Injection Attacks etc. [google it]

You can find good and pretty complete information on this, from Chris Shifflet [google it].

Storyman

10+ Year Member



 
Msg#: 4656 posted 7:57 pm on Aug 8, 2004 (gmt 0)

ruserious,

Thanks for the tip on partial checking of the IP to reduce the possibility of session-hijacking as well as the other subjects--extremly helpful.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved