-2

I want to track all users (both authenticated users and anonymous users) , so far the solution i found are not good.

First of all, we can use a cookie but as we all know its not a reliable solution, second of all we, can use browser finger printing, but until this moment I did not find any solution for server side. I found this solution valve but it is for client side and this one browserFingerPrint , I want an approach which user does not find any token in request , I want to create the key in server side so I can track users.

Does any one know any solution?

note : my server side technology is Asp.net Mvc use case : users can comment on m site and also they can like or dislike comments, I want to allow all users to do this and also I want to track users before action (like or dislike)

Sklivvz
  • 30,601
  • 24
  • 116
  • 172
jsDevia
  • 1,282
  • 4
  • 14
  • 37
  • 1
    If your users decide to go into incognito mode in their browsers there will be absolutely nothing for you to track them. That's exactly why incognito mode has been designed in the first place: to prevent abusive websites to track users who do not wish to be tracked. So basically you have lost this battle even before it started. The only reliable way to track them is through authentication. Everything else is just a waste of time. – Darin Dimitrov May 07 '16 at 13:51
  • https://fingerprint.pet-portal.eu/ use this one through every browser you have , also incognito , you can see the key is all the same , i want this kind of solution. – jsDevia May 07 '16 at 14:02
  • But this doesn't mean that it is impossible to delete the `evercookie` that it creates. It's just a bit harder and with enough knowledge the user can remove all traces. Also your problem is that you will need to transfer this fingerprint somehow to the server. So it must be part of the HTTP request. But what if a user decides not to use a browser, but directly send an HTTP request to your site? – Darin Dimitrov May 07 '16 at 14:05
  • i dont need a 100% reliable solution 80 90 percent is good enough for me, and if it goes to 100 percent event better. – jsDevia May 07 '16 at 14:06
  • Do you need to handle the situation when a user simply forges an HTTP request to your site? Because in this case he can send whatever headers and information he wants and your server will be incapable of identifying the user, unless of course you require authentication. – Darin Dimitrov May 07 '16 at 14:07

1 Answers1

1

No, there is no solution for what you want that doesn't use some form of a "token" which fingerprints anonymous users.

Let's see why.

An anonymous browser sends a series of bits of data, such as IP, browser agent and other headers. These should never be used to identify a user because they can be easily forged. They can be OK for tracking, and for most purposes IP address or some hash based on IP address and browser agent is sufficient. However this won't do for things which require security, such as commenter identification.

For commenter identification, it is necessary to prevent fraud. This is typically achieved by giving a unique token to each user. This can be transmitted in many forms, off the top of my head: cookies, headers, query string, POST parameters, or client certificates. However it does require a token issued by the server. If the client can generate a token from scratch, then it follows it can generate a fake token.

Sklivvz
  • 30,601
  • 24
  • 116
  • 172
  • I know that users can forge the data but the solution i have is cookies , all i want is a more reliable solution , i don't need 100 percent reliability , just a better solution. – jsDevia May 07 '16 at 14:20
  • every body knows about cookie , they know that if they delete it they can forge data, i want to make the forging process more difficult for them. – jsDevia May 07 '16 at 14:23
  • 1
    @EhsanElhampour so you want to track them even if they don't want? That's not ethical. – Sklivvz May 07 '16 at 14:24
  • no no dont get me wrong, i dont want to force them to logged in to site in order to like or dislike comments, i want to make the approach much easier for them , but for this i dont want to use cookies i want a more reliable solution . – jsDevia May 07 '16 at 14:26