0

Typically "Remember me on this computer" stores a hashed value of user identifier in browser cookie. I want to be able to remember the device even if cookies are cleared. We try to store in cache, window.event and even in local storage and DB (if HTML5 compliant). All of these are prone to getting cleared by the user. Is there a better technique to identifying a device without relying on these storages? Or better storages than the ones listed above?

Megha
  • 335
  • 3
  • 13

2 Answers2

3

No, because a user's computer is totally their own and nothing you store there is safe. As a final resort, they can re-install the entire operating system.

Even IP addresses are insufficient due to all the network address translations that happen on the net.

Rather than trying for a technological solution, I simply rely on the cookie and place a subtle message somewhere that cookies are required if they want the "remember me" functionality.

A user knowledgable enough to get rid of cookies in the first case will probably know how to be selective.

paxdiablo
  • 854,327
  • 234
  • 1,573
  • 1,953
  • hmm.. identifying a repeat device is essential to my use case since we are presenting users with 2 step authentication if "remember me" cookie is not found. We are getting complaints for too many second steps from really lay users who end up deleting storage without their knowledge (via anti virus/malware software). I am open to radical ideas like getting rid of cookies altogether and attempting better fingerprinting algos to identify a device. Need suggestions on what and how if anybody has tried these before. – Megha Aug 25 '12 at 06:33
  • @Megha, I usually handle those customers with a wet rag, car battery and some wires attached to their private parts :-) Or, due to company limitations, a quick response indicating that something is deleting the cookies at which point they _won't_ be remembered by our application. It's then up to them to fix it since it's not a bug in our product (we'll help since we like our customers, but _responsibility_ is not accepted). Have a look at Victor's answer. Despite the downvote, it may be rather useful for you. – paxdiablo Aug 25 '12 at 06:43
  • @paxdiablo please help me on this question http://stackoverflow.com/questions/16633310/browser-cookie-persistent – Mihir May 19 '13 at 09:44
1

Try to look at http://samy.pl/evercookie/

victorsavu3
  • 195
  • 1
  • 6
  • Why the downvote? This seems like a valid enough solution to me. Obviously, it won't survive a person determined to get rid of the information but should take care of the vast majority. – paxdiablo Aug 25 '12 at 06:39
  • +1.. cant upvote yet to neutralize. It is something i can consider for my usecase. – Megha Aug 28 '12 at 07:25
  • Despite being a solution that answers the question, it does sound a little bit too much on the invasive side... users should always be able to delete any cookies set on their machine. I wouldn't use this unless I was specifically asked to by a client (maybe for some intranet project?). If you do use this then at least tell your visitors/users about it. Also, perhaps would be a good idea to make sure this goes in line with privacy laws. – Edd Apr 22 '20 at 12:38