如何检测用户是否从已识别的计算机进行连接?

发布于 2024-08-21 09:14:32 字数 192 浏览 16 评论 0原文

在许多银行和投资网站上,该网站会阻止用户在未先回答其他问题或激活该计算机的情况下从无法识别的计算机登录。开发人员通常如何创建此功能?

例如,以下是当我从无法识别的计算机连接到我的帐户时 Salesforce.com 给出的消息:

我们正在尝试从我们的一个应用程序中执行相同类型的操作,但不确定最佳(也是最安全)的方法。

On many banking and investment websites, the site prevents users from logging in from an unrecognized computer without first answering an additional question or activating that machine. How do developers typically create this feature?

For example, here is the message that Salesforce.com gives when I connect to my account from an unrecognized machine:

Activate Required image, computer not recognized

We're trying to do the same type of thing from one of our applications, but aren't sure about the best (and most secure) approach.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

不再见 2024-08-28 09:14:32

有许多可能的方法可以做到这一点,但通常它们会使用以下内容的组合:

  • 连接的 IP 范围
  • 您从主机名
  • 您的计算机上是否存在成功身份验证后网站留下的 cookie
  • 用户代理字符串

如果您与现有的受信任连接之一有太多差异,该机器被视为不受信任。 “太多”的界限是安全性和便利性之间的权衡。

There are many possible approaches to do this, but typically they're using some combination of the following:

  • IP range you're connecting from
  • your host name
  • presence of cookies on your computer left by the site after a successful authentication
  • user-agent string

If you have too many differences from one of your existing trusted connections, the machine is considered untrusted. Where the line is drawn for "too many" is a tradeoff between security and convenience.

木森分化 2024-08-28 09:14:32

没有真正安全的方法,您可以基于 IP 地址执行此操作,但这通常是动态的,您可以通过 cookie 执行此操作,但它们远非安全,您可以在 MAC 地址上执行此操作,但您需要使用Java(IIRC)来访问它,但这又可能被欺骗......

没有真正的方法来检查他们连接的计算机以前是否曾经连接过。您可能可以找到“黑客”来做到这一点,但它永远不会安全。

There is no truly secure approach, you could do it based on IP address, but that is often dynamic, you could do it on cookies but they're far from secure, you could do it on MAC address but you'd need to use Java (IIRC) to access that, but that again can be spoofed...

There is no real way to check if the computer they're connecting from has ever connected before. You can probably find "hacks" to sort of do it, but it's never going to be secure.

您可以在用户计算机上设置 cookie,然后检查该 cookie 是否存在并包含正确的值。如果 cookie 不存在,则这台计算机是一台新计算机,否则这台计算机以前就存在过。

cookies值可以是一些随机散列,具有不同的属性,例如IP地址、用户代理等......

You can set up a cookie on users machine and later on check if that cookie exists and contains a proper value. If the cookie doesn't exist, then this computer is a new one, otherwise this computer has been here before.

The cookies value can be some random hash, with different attributes, for example IP address, user agent, etc...

開玄 2024-08-28 09:14:32

电子前沿基金会 (EFF) 建立了一个演示网站,展示了识别浏览器是多么容易,即使 cookie 被禁用或您从不同的 IP/提供商进行连接:

Panopticlick:您的浏览器有多独特和可追踪

的组合

  • 它们使用用户代理字符串
  • HTTP 标头
  • 安装的浏览器插件-ins
  • 时区
  • 屏幕尺寸和颜色分辨率
  • 系统字体
  • Cookie 设置

但是,典型的场景(可能是示例应用程序中使用的场景)是在本地存储 cookie 并通过此 cookie 识别返回的用户。

The Electronic Frontier Foundation (EFF) has set up a demo web site showing how astoundingly easy it is to identify a browser even if cookies are disabled or you are connecting from a different IP/provider:

Panopticlick: How unique - and trackable is your browser

They use a combination of

  • User agent string
  • HTTP headers
  • Installed browser plug-ins
  • Time zone
  • Screen size and color resolution
  • System fonts
  • Cookie settings

However, the typical scenario (and probably the one used in your sample application) would be to store a cookie locally and identify the returning user via this cookie.

没有伤那来痛 2024-08-28 09:14:32

最安全的方法无疑是颁发客户端证书,并让服务器检查连接上的证书(确保并使用吊销列表!)。这会产生相当多的管理开销,但很有效。

The most secure approach is undoubtedly to issue client certificates, and have the server check the certs on connection (make sure and use a revocation list!). This has quite a lot of administrative overhead, but works.

难以启齿的温柔 2024-08-28 09:14:32

大多数顶级网站都使用 Flash cookie 来跟踪唯一访客。 Flash cookie 与常规浏览器 cookie 类似,但当用户切换浏览器或清除浏览器历史记录时,Flash cookie 不会被清除。

再读一遍:您可以尝试清除历史记录或切换浏览器,甚至使用 Chrome 的“隐身”模式,Flash cookies 仍然会记住您是谁。它们与 Flash 安装相关,而不是与浏览器相关。

《连线》有一篇关于它们的文章:
http://www.wired.com /epicenter/2009/08/you-deleted-your-cookies-think-again/

尽管《连线》杂志对 Flash Cookie 发出了警告,但他们自己还是使用 Flash Cookie 来跟踪访问者。去算算吧。

在 Flash 中,它们被称为“共享对象”。请在此处查看有关如何使用它们的更多信息:
如何在 Flash 中访问 Cookie?

Most top sites use Flash cookies to track unique visitors. Flash cookies are similar to regular browser cookies yet are not cleared when a user switches browsers or clears the browser history.

Read that again: you can try to clear your history or switch browsers, or even use chrome's "incognito" mode, and Flash cookies will still remember who you are. They're tied to the Flash install rather than the browser.

Wired has an article about them here:
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/

Despite Wired's warning about flash cookies, they themselves use flash cookies to track visitors. Go figure.

Within Flash, they're called "SharedObjects." See more on how to use them here:
How do I access cookies within Flash?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文