Possible Replacement For Cookies?

Forum Moderators: coopster

Message Too Old, No Replies

Possible Replacement For Cookies?

brendan3eb

9:26 pm on Dec 23, 2004 (gmt 0)

Ok, this idea works, but I've never seen anyone do it, so I'm wondering if there is a security problem with it. When a user logs in and opts to be remembered after they leave, I insert their ip into the database and if that ip returns ill log them in as that user. Are there any security problems with that?

mack

9:31 pm on Dec 23, 2004 (gmt 0)

Not sure about security problems but it may have functionality problems. Lets imagine a dial up user visits your site. They will almost certainly have a dynamic ip address, next time they visit your site their ip address will be different.

Mack.

brendan3eb

9:37 pm on Dec 23, 2004 (gmt 0)

Didn't quite think about that, thanks. I have a checkbox that offers the option, if they have dialup they can still log in everytime they come to the site. I'm just wondering if there are ways for people to deceive php to make it think their ip is different that the one they have.

coopster

10:05 pm on Dec 23, 2004 (gmt 0)

That's exactly what mack is stating here. Anyone with a dynamic IP address could come to the site and be served up with Billy Bob's content/information when it's actually Suzy Q. Keep in mind that a lot of DSL users run on dynamic IP as well.

brendan3eb

10:11 pm on Dec 23, 2004 (gmt 0)

can they choose exactly what they want their ip to be?
is there a way to detect whether the ip is dynamic or not?

coopster

10:19 pm on Dec 23, 2004 (gmt 0)

>>can they choose exactly what they want their ip to be?

You can request a static IP from your ISP. They usually charge extra monthly charges for static IP addresses.

>>is there a way to detect whether the ip is dynamic or not?

No.

Another concern for you by using this technique...
Company A has a router in place which is doing Network Address Translation. Now you have 500 people in Company A with the same IP address because every external request is given the same IP address by the router. An external request is a web site request going outside the company network, through the router over the internet to your web site. How will you ever differentiate by IP address? You can't.

Your best option outside of a cookie would be to authenticate the user on any new visit to your site.

kevinpate

10:24 pm on Dec 23, 2004 (gmt 0)

another issue, even for static ip, is what about multi users on a single machine - libraries, net cafes, even homes, as many have but one box on a desk somewhere off the kitchen.

Some homes are also extended family - a pre-teen or two, perhaps multiple teens and 2 or more generations of adults present in a single home, sharing a single static IP. Do you really wanna autolog someone in from that house based solely on the IP match?

I wouldn't, but maybe that's just me.

rlkanter

10:28 pm on Dec 23, 2004 (gmt 0)

I think coopster hit the nail on the head, NAT is going to be your biggest problem, whether it's from companies, or from shared connections in homes/cyber cafes/etc.

You might want to look into how the normal authorization works (for apache at least), I know once I login I don't have to re-login until I restart the browser. I'd assume it uses sessions, but not entirely sure. I know it doesn't use a cookie.

mack

12:29 am on Dec 24, 2004 (gmt 0)

Is there any reason why you don't want to use cookies, or are you just experimenting with other ideas?

Mack.

brendan3eb

4:00 am on Dec 24, 2004 (gmt 0)

Some people don't accept cookies is the reason I was look for an alternative and it's annoying for the user to have to login every visit. Anyways I've changed all the logins to be sessions and there is an option to set a cookie.

Warboss Alex

2:28 pm on Dec 24, 2004 (gmt 0)

If people don't accept cookies, then they're also accepting that they can't stay 'logged in' to a site, so they have to log in every time. If you're technical-minded enough to know how/why to block cookies, then you'll also accept that there'll be drawbacks.

Instead of an I.P. address, you could store the username plus hashed password in the cookie or something, and 'auto-login' the user when they visit the site, if you get my meaning.

Receptional

2:34 pm on Dec 24, 2004 (gmt 0)

IP numbers just won't work. AOL users on there own will generate a more than substantial number of cock-ups. We gave up using IP numbers for tracking unique users a long long time ago.

I once saw a french thing that actually used a machine's mach address. It involved downloading softawre onto the user's machine, but it looked pretty bomb proof.