在Perl的网络控制面板登录独特的web浏览器识别ID [英] Unique web browser identification ID for web control panel logins in Perl

问题描述

Web浏览器是否有一个唯一的ID可以被传递到Perl脚本？ （像一个唯一的序列 - 样的产品，你在商店购买具有为例）

Does web browsers have a unique ID that can be passed on to Perl scripts? (Like a unique serial - like products that you buy in the shop have for example)

有关实例：如果我安装一个网络浏览器，可以在这个网络浏览器提供一个唯一的标识ID到PHP或Perl脚本

For instance: If I install a web browser, can this web browser provide a unique identifying ID to a PHP or Perl script?

我在寻找一些独特的原因是要做到以下几点：

The reason I'm looking for something unique is to do the following:

1. 我有一个用户名和密码的用户数据库。

1. I have a user database with user names and passwords.

用户名/密码进行加密，并设置为饼干用户的Web浏览器，以便用户可以登录并伸到我的Web应用程序。 （每个加载网页时登录的着眼于饼干和授权访问如果cookie的用户名/密码是正确的）

The user names / passwords are encrypted and set as cookies to the web browsers of users so that users can log in and out into my web application. (Each web page loaded when logged-in looks at the cookies and grants access if the cookie user/pass is correct)

如果一个黑客设法窃取用户加密的用户名和密码的cookie，他将能够与被盗加密信息进行登录。

If a hacker manages to steal the encrypted user name and password cookie from a user he will be able to log in with that stolen encrypted details.

如果用户的浏览器都有唯一的ID传递那么我可以记录这些ID和用户使用自己的加密的用户每次与它们匹配/传递的cookie。这样，如果唯一的ID不匹配（所记录的previously），那么该用户将被注销，并要求人工重新登录。

If the browsers of users all had unique IDs to pass on then I could record those IDs and match them each time a user uses his encrypted user/pass cookie. This way if the unique ID does not match (what has been recorded previously) then the user is logged out and asked to manually log in again.

在哪里加密的用户名/密码被盗黑客将无法获得与它独特的，因为浏览器的ID将不匹配的情况。用户/密码的cookie被加密，黑客无法看到用户名或密码。当唯一的浏览器记录的ID不匹配，Web应用程序会要求用户手动登录，因为用户名/密码他偷了加密，黑客将无法手动登录。

In the event where the encrypted user/pass is stolen the hacker won't be able to get in with it because unique browser ID's won't match. The user/pass cookie is encrypted and the hacker cannot see the user name or password. When the unique browser recorded ID's don't match the web application will ask the user to login manually and the hacker won't be able to login manually because the user/pass he stole is encrypted.

使用的IP地址是一个可能的解决方案，但一个贫穷的解决方案，因为很多如果不是大多数的ISP分配动态IP给客户的互联网连接。

Using IP addresses is a possible solution but a poor solution because many if not most ISP's assign dynamic IPs to the internet connections of their clients.

使用时间也没有一个很好的解决办法，因为我想保持登录状态，每次数周在同一台计算机上的用户（如果他们选择的话），使之方便。

Using time is also not a good solution because I would like the users to stay logged in on the same computer for weeks at a time (if they chose so) to make it convenient.

任何人有任何解决方案，以上面的场景？

Anybody have any solutions to the above scenario?

我一直在寻找一种方式来获得独特的来自浏览器的东西，但这似乎并不可能。是否有可能或不？

I've been searching for a way to get something unique from browsers but this does not seem possible. Is it possible or not?

推荐答案

浏览器不具备的独特ID，但指纹是可能的。 联邦军先后测，在最好的情况下，通过浏览器（包括用户代理字符串等发送的信息HTTP头）再present熵，如果你把随机两种浏览器，这意味着18.1位，你有机会1 2 ^18.1 （≈280,000），它们将具有相同的指纹。他们已经成立了一个网站，你可以估算的程度熵的您的浏览器发送的信息。

Browsers don't have unique ID, but a good level of fingerprinting is possible. The EFF has measured that, in the best case, information sent by browsers (including the user agent string and other HTTP headers) represent 18.1 bits of entropy, which means if you take two browsers at random, you have 1 chance in 2^18.1 (≈280,000) that they will have the same "fingerprints". They have set up a website where you can estimate the degree entropy of the information sent by your browser.

有些网站使用。我的银行，例如，存储有关三种浏览器我最经常使用的，每当我没有使用其中的一个连接到他们的网站，问我额外的验证问题的信息。

Some websites use this. My bank, for instance, stores information about the three browsers I use most often to connect to their website, and ask me additional verification questions whenever I'm not using one of those.

在另一方面，所有这些信息是完全具有欺骗性：如果有人能够携带中间人攻击并窃取了一个cookie，他们能够也窃取所有的浏览器发送的头，和可以重新使用它们自己在您的网站进行身份验证。如果浏览器其实是有唯一的ID同样是如此。

On the other hand, all this information is entirely spoofable: if someone is able to carry a man-in-the-middle attack and steal a cookie, they are able to steal also all the headers sent by the browser, and can reuse them to authenticate themselves on your website. The same would be true if browsers actually had unique IDs.

您选择，除了使用这需要你要么支付签署的证书或创建一个自签名的一个，将显示一个安全警告，您的访客（HTTPS）使用SSL加密的连接，是采用对<更好的做法A HREF =htt​​p://en.wikipedia.org/wiki/Session_hijacking#$p$pvention>会话劫持。

Your alternative, besides using a connection encrypted with SSL (https) which requires you to either pay for a signed certificate or create a self-signed one that will display a security warning to your visitors, is to adopt better practice against session highjacking.

有关的一件事，它不是标准，以保持用户名和密码，即使加密，在cookie。你应该做的是，一旦用户登录到你的网站，为它们分配一个的随机的，单次使用的，你会在你的数据库存储与到期时间（你可以延长，每次在沿会话ID用户与您的网站在Cookie交互），这给他们。

For one thing, it is not standard to keep the username and password, even if encrypted, in the cookie. What you should do is, once a user has logged into your website, assign them a random, single use session ID which you will store in your database along with an expiration time (which you may extend everytime the user interacts with your website), and this to them in a cookie.

如果你想要一个更高程度的保护，一个选项是改变会话ID的每个的用户进行一次发送一个HTTP请求。您也可以存储列表中IP地址的每个用户使用连接到你的网站，或者IP地址掩码（如 XY *。* ），如果它的变化过于频繁，并有他们，如果他们是从一个不寻常的地方连接验证自己的身份。如果你这样做，这是一个很好的做法，问他们：你会从这个地方重新连接？

If you want an even higher degree of protection, one option is to change the session ID every time the user makes sends an HTTP request. You could also store a list of IP addresses each user uses to connect to your website, or IP address masks (e.g. X.Y.*.*) if it changes too often, and have them authenticate themselves if they are connecting from an unusual place. If you do this, it is a good practice to ask them "Will you be connecting again from this place?"

这篇关于在Perl的网络控制面板登录独特的web浏览器识别ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！