This question already has answers here:
How do I uniquely identify computers visiting my web site?
(22 answers)
Closed 2 years ago.
I am developing a web application using jsp. My requirement is to identify the no of request is from the same machine or not. How to finger print a device... I tried to get IP address but jsp returns always the server IP address. For this I refere the following question.get IP from client is there any way available to get IP or Mac address or a unique identifier of client PC using java script or jsp.....
You can always set a cookie. Check for the cookie on the request (when it arrives in Java). If it's there and it has a value you know, it's an existing user. If it's not there, it's a new user and you should set one for that user and keep track of the value you placed in.
If all other options aren't viable (like cookies, IP, user-agent or a combination of all), then you might want to consider having the user sign-up and login. That way, you have full knowledge on who's actually operating.
IP request will not work when your server is behind a webserver like Apache. Better is to assign an id to the very first request and put it in a cookie. But if you want to identify the same client across multiple browsers, cookie might not help you. Can you be a bit more explanative about your requirement? What constitutes a unique client? same browser / multiple browsers / subnet is acceptable / or anything else? Can this help - How do I uniquely identify computers visiting my web site? ?
Check https://www.chromium.org/Home/chromium-security/client-identification-mechanisms which explains different client identification mechanisms. HTML appcache sounds like an option (but if cookies are not allowed, not sure about 'storing' something on the client machine's disk).
On your jsp you can use cookies. You could have something like this:
<%
Cookie alreadyAccessed = new Cookie("already_accessed", "true");
// Set expiry date after 24 Hrs
alreadyAccessed.setMaxAge(60*60*24);
// Add the cookie in the response header.
response.addCookie( alreadyAccessed );
%>
You can't get MAC address. Other option available to you are :
Set a unique cookie and use this.
Use IP address and browser information in addition to cookie for additional surety.
Remote host and address diff you can get here Remote Address and Remote Host
Related
I have developed a web application.Same user(same login id) can login to the system by using multiple devices. I want to identify the devices seperately. The devices can be ipads,tabs etc...
As an example, there can be 3 ipads .So I need to uniquely identify which ipad was used to login. I need to implement this using java.
Thank you in advance
You cannot really identify each device uniquely because device does not send any type of unique identifier to server.
The typical solution is using cookie. You can create cookie that identifies you each device when it connect first time. The cookie may (for example) take into consideration the client IP, user-agent, timestamp and some random part or, alternatively just create UUID. The cookie should be persisted and never expired.
Now, every time the client connects it sends the cookie and you can identify it.
If you want to detect the device type use User-Agent HTTP header. This will allow you to limit number of devices of the same type as you want.
Obviously user can delete cookie from his browser or use other browser. This is the reason that I mentioned in the beginning of my answer: you cannot really identify the device uniquely. You can however do the best effort explained above.
*I think you can use method
java.lang.System.getProperty(String)
The blow two property be concated will ok.
* <dt>os.name <dd>Operating System Name
* <dt>user.name <dd>User account name*
the above is error.
You cat get client identifier by javascript .java is working with server.
I know following are the ways to maintain or session tracking in java but looking for a good one
URL rewritting
Hidden form fields
cookies
Session object like setAttribitute() and session.getAttribute()
If the client browser has blocked accepting and storing cookies then last 2 ways are not valid.In hidden form fields I need to pass the hidden values in each and every page inside form.So suppose If I am just using response.sendRedirect() Then hidden form field is of not use.The remaining is URL rewriting in which I will pass JsessionID in the URl.So My question by knowing the sessionID isnt the unauthorized persons can able to access the pages.
For example There are 3 pages login,register,send.So after login user can register and/or send.So if any one knows the sessionID cant he/she go direct to register/send page.If yes Please tell me how to prohibit this
As of Servlet 3.0 (Apache Tomcat 7 onwards) if you use SSL then you can configure your application to track sessions based on the SSL session ID. The downside is that everything has to be over SSL. The advantages are that the session is strongly tied to the SSL connection. Only the user that created the connection to the server that has the correct SSL session has access to the session. Even if an attacker knows the session ID, they can't access the session.
One word of caution, this form of session tracking is the least widely used so it may not have been as heavily tested as the more usual cookie and URL re-writing mechanisms.
Have a look at this link which outlines Best practices for using HTTP sessions
Including
javax.servlet.http.HttpSession.invalidate()
Use HTTPS
With standard solutions you can't.
You can add some measure of security by adding request originator IP address verification, but that's also fooled easily. (to clarify some here means very tiny itsy bitsy little bit of)
So the secure route is to not use URL Rewriting to maintain session in secure application.
However you may be able to get some security by keeping the JSessionID as a separate encrypted attribute that which will be decrypted by a middle-ware or a load balancing server sitting between the client and your application servers. This of course is just a thought, I haven't, fortunately ever had to try something like that out :-)
Session tracking & authentication are two diff things don't club them.
Understanding your requirement I see you want to secure the sessionid of the user.
Evasdroping: If someone is listing to the request & response in the middle he can take the sessionid and use it. The best way would be to use a SSL. This ensures no one is listening in the middle.
Sessionid stolen from Client side: Normally this should be taken care by the browser and OS. So your user is as secure as the system he has.
I use JSP in server side and want to validate that, an user must not log in from two different IP addresses. What is the method to do this validation?
And some says that the client IP address may not be get from the server side because of some proxies involved. Then how the google and facebook are doing this? Will this be reliable in production environmennt? please explain. Thank you !
Then how are Google and Facebook doing it?
They are probably using the X-Forwarded-For header that a lot of proxy servers add to the request on the way through.
This is only reliable to the extent that the proxies are telling the truth.
Well, getting the IP address is as easy as using ServletRequest#getRemoteAddr()
But as you've noted already, there is no way to get this reliably - if the client is using a proxy, the connection will appear to originate at that IP address. I don't believe Facebook or Google can get around this either - which is why you can access US only features (for example, Google Voice in Gmail) by logging in via a proxy/ssh tunnel that has a US IP address.
If you just want to stop a user from logging in from two different IP addresses simultaneously, all you need to do is track what IP address their current session (if one exists) originates from and either
stop the second login attempt, or
expire the first session
I'm not sure what value there might be in preventing a login from different IP addresses at different times since that's very likely going to happen with users who are travelling around or moving from network to network.
How can I get client side information using either Javascript or Java Servlets?
Client side information such as client's computer name, its IP Address etc.
Thanks in advance.
You can get some information from the HTTP request headers in a servlet, such as the user-agent (so that you knows which browser the client is using (or want to let us think it is using)) and the remote-addr (the client's IP address (or the proxy's one if the client is using it)).
String userAgent = request.getHeader("user-agent"); // Browser identifier.
String remoteAddr = request.getRemoteAddr(); // IP address.
You can't access system environment variables using Javascript. That would be a security hole. There are ways using ActiveX, but that works only on a certain webbrowser developed by a team in Redmond and still then, the client would need to lower its security settings to allow it to run. That's a big no-no.
The only way to get the computer name is to run a client application which is served by a webpage and let this client application sniff it and send it to the server side. For example a Java Applet using respectively System.getProperty("COMPUTERNAME") and java.net.URL. You however need to sign it, else it will prompt a security warning as well.
Get user IP through JS
var ip = '<!--#echo var="REMOTE_ADDR"-->';
Although I'm not sure on the computer name, I presume it would have to involve ActiveX. It use to be possible via ActivexObject in IE. Unsure if its possible anymore, highly doubt it because its not secure in the slightest.
Depending on your network environment (e.g. if this is on an Intranet), you may be able to get the client name by doing reverse DNS on the client's IP address, or by creating an equivalent server service.
We have a voting mechanism that we want to restrict to only allow one vote by user.
We've tried to validate by IP address, but the problem is that when we get the user's IP address in the applicational server it shows always the apache IP address (we have two applicational servers with apache in front of them).
We are using ColdFusion variable CGI.REMOTE_ADDR to get the user IP.
Anyone knows how to fix this?
We would like to avoid the use of sessions or cookies.
Thanks in advance.
You probably want to use the X-Forward-For header header
instead of the source ip, assuming your apache instances are putting it into the request.