Php 哪些请求头可用于浏览器/客户端指纹?
为了增加安全性,我们的服务器跟踪浏览器指纹。目前,我们使用以下标题:Php 哪些请求头可用于浏览器/客户端指纹?,php,security,http,cross-browser,Php,Security,Http,Cross Browser,为了增加安全性,我们的服务器跟踪浏览器指纹。目前,我们使用以下标题: “HTTP_CLIENT_IP”、“HTTP_X_FORWARDED_FOR”、“HTTP_X_FORWARDED”、“HTTP_CLUSTER_CLIENT_IP”、“HTTP_FORWARDED_FOR”、“HTTP_FORWARDED”、“REMOTE_ADDR”(以第一个非空作为客户端IP) HTTP_-ACCEPTxxxx HTTP\u用户\u代理 是否还有其他(可选)标题可供使用 一般来说,计算客户端指纹的最佳
- “HTTP_CLIENT_IP”、“HTTP_X_FORWARDED_FOR”、“HTTP_X_FORWARDED”、“HTTP_CLUSTER_CLIENT_IP”、“HTTP_FORWARDED_FOR”、“HTTP_FORWARDED”、“REMOTE_ADDR”(以第一个非空作为客户端IP)
- HTTP_-ACCEPTxxxx
- HTTP\u用户\u代理
一般来说,计算客户端指纹的最佳“算法”是什么?您可以使用唯一的浏览器指纹(用户代理、web浏览器、画布等),然后获取哈希值
/* Generate a fingerprint string for the browser */
function generateFingerprint(){
//Generate a string based on "stable" information taken from the browser
//We call here "stable information", information that normally don't change during the user
//browse the application just after authentication
var fingerprint = [];
//Take plugins
for(var i = 0; i < navigator.plugins.length; i++){
fingerprint.push(navigator.plugins[i].name);
fingerprint.push(navigator.plugins[i].filename);
fingerprint.push(navigator.plugins[i].description);
fingerprint.push(navigator.plugins[i].version);
}
//Take User Agent
fingerprint.push(navigator.userAgent);
//Take Screen resolution
fingerprint.push(screen.availHeight);
fingerprint.push(screen.availWidth);
fingerprint.push(screen.colorDepth);
fingerprint.push(screen.height);
fingerprint.push(screen.pixelDepth);
fingerprint.push(screen.width);
//Take Graphical card info
//See http://output.jsbin.com/ovekor/3/
try {
//Add a Canvas element if the body do not contains one
if ( $("#glcanvas").length == 0 ){
$(document.body).append("<canvas id='glcanvas'></canvas>");
}
//Get ref on Canvas
var canvas = document.getElementById("glcanvas");
//Retrieve Canvas properties
gl = canvas.getContext("experimental-webgl");
gl.viewportWidth = canvas.width;
gl.viewportHeight = canvas.height;
fingerprint.push(gl.getParameter(gl.VERSION));
fingerprint.push(gl.getParameter(gl.SHADING_LANGUAGE_VERSION));
fingerprint.push(gl.getParameter(gl.VENDOR));
fingerprint.push(gl.getParameter(gl.RENDERER));
fingerprint.push(gl.getSupportedExtensions().join());
} catch (e) {
//Get also error because it's will be stable too..
fingerprint.push(e);
}
//Last and, in order to made this browser unique, generate a random ID that we will store
//in local storage (in order to be persistent after browser close/reopen)
//Add this ID because, in Enterprise, most of the time browser have the same configuration
var browserUniqueID = localStorage.getItem("browserUniqueID");
if (browserUniqueID === null) {
localStorage.setItem("browserUniqueID", CryptoJS.lib.WordArray.random(80));
browserUniqueID = localStorage.getItem("browserUniqueID");
}
fingerprint.push(browserUniqueID);
return fingerprint.join();
}
资料来源:
仅供参考,所有这些信息都可以被欺骗,但是,用户代理和IP地址可以被使用……您正在允许任何人在此处欺骗任何其他人的指纹,祝贺您。只有
REMOTE\u ADDR
保证是正确的,其他任何内容都是用户提供的任意信息。除非您确切地知道您控制下的代理已经设置了它们,否则您永远不应该使用任何可选的*_IP头。简言之,这也是HTTP头进行任何类型指纹识别的问题。@deceze:对于IP,并非所有用户都有公共IP,许多用户可能使用一个公共IP(在我的国家,至少有10000个用户使用一个IP)。deceze:注意“安全”之前的“添加”一词。@Patrick Sure,我没想到这是你唯一的安全措施。由于上述问题,它仍然存在问题,添加它几乎没有意义。此外,IP可以在任何时候出于完全合理的原因进行更改,因此要求它们保持不变可能会让用户非常恼火。
//Call the fingerprint dedicated function
var fingerprint = generateFingerprint();
//Use CryptoJS library ot generate a hex encoded string of the hash of the fingerprint
var fingerprintHash = CryptoJS.SHA256(fingerprint);