User authantication per browser.

[KubeR]

Hello,

 

I'd like to know if there is any alternatives for cookies,session and ip for user identification ?

 

As cookies aren't secure enough as they're easily compromised and untrustable.

As for session, I haven't seen a website that uses session for user identification while still being told to use in several "Login/Registration" tutorials, but aren't secure/trustworthy in my opinion as they're editable.

 

IP isn't the best idea because people use proxys and can change ip per page or interval. ( and VPN's )

 

User agents are editable by plugins and aren't unique as far as I know.

 

 

Are there any trustworthy information that can be retrived from the user ?

or combine a few into one ?

(except evercookie)

 

 

 

P.S. I am aware of OpenID, OAuth and social media authentication, but I am not interested in other websites identifying users for me.

 

 

Appericiate any input.

[requinix]

You can't trust the values in cookies but that in no way whatsoever means you shouldn't use them.

 

Sessions are safe, given a typical PHP setup. Your opinion is incorrect.

Oh, by the way, sessions use cookies.

 

IP addresses aren't unique.

[Jacques1]

No offense, KubeR, but this is bollocks. You don't seem to understand what session actually are and how they work. 

 

Standard PHP sessions consist of two parts: A session cookie which holds the session ID and the session file on the server. Since the actual session data is on the server, users don't have access to it. They can of course change their ID in the cookie, but that alone doesn't get them anywhere.

 

There are two security risks for standard sessions:

• If the session ID can be intercepted or predicted, an attacker can take over the session (session hijacking).
• If you adopt user-provided IDs (which is the default), an attacker can try to make the victim use a known ID and then take over the session after the victim has logged in (session fixation).

The first problem can be solved by using sufficiently random session IDs (see session.entropy_file and session.entropy_length) and only transmitting them over HTTPS. The second problem can be solved by generating a fresh ID in the log-in procedure.

 

So if used correctly, PHP sessions are secure. I'll happily discuss this in another thread.

 

Your statements about cookies are also wrong. Yes, the values are editable. But that simply means we need to check the integrity and authenticity of the data. This is typically done with a message authentication code. However, I don't recommend this approach, because it's very hard to get right compared to simply storing the session data on the server.

 

There are some alternatives to session-based authentication, most notably HTTP authentication and TLS client certificates. But they have problems as well and make little sense for an average website.