dongsui8162 2013-07-24 08:26
浏览 296
已采纳

哪些请求标头可用于浏览器/客户端指纹?

For added security our server keeps track of the browser fingerprint. At the moment we use the following headers:

  • 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR' (take the first non-empty as the client-IP)
  • HTTP_ACCEPTxxxx
  • HTTP_USER_AGENT

Are there any more (optional) headers that can be used?

What in general is the best 'algorithm' to calculate the client fingerprint?

  • 写回答

1条回答 默认 最新

  • dongwoqin7034 2017-02-17 16:51
    关注

    you can use a unique browser fingerprint (user agent, web browser, canvas, etc) and after get the hash.

    /* Generate a fingerprint string for the browser */
function generateFingerprint(){
//Generate a string based on "stable" information taken from the browser
//We call here "stable information", information that normally don't   change during the user
//browse the application just after authentication
var fingerprint = [];

//Take plugins
for(var i = 0; i < navigator.plugins.length; i++){
   fingerprint.push(navigator.plugins[i].name);
   fingerprint.push(navigator.plugins[i].filename);
   fingerprint.push(navigator.plugins[i].description);
   fingerprint.push(navigator.plugins[i].version);
}

//Take User Agent
fingerprint.push(navigator.userAgent);

//Take Screen resolution
fingerprint.push(screen.availHeight);
fingerprint.push(screen.availWidth);
fingerprint.push(screen.colorDepth);
fingerprint.push(screen.height);
fingerprint.push(screen.pixelDepth);
fingerprint.push(screen.width);

//Take Graphical card info
//See http://output.jsbin.com/ovekor/3/
try {
    //Add a Canvas element if the body do not contains one
    if ( $("#glcanvas").length == 0 ){
        $(document.body).append("<canvas id='glcanvas'></canvas>");
    }
    //Get ref on Canvas
    var canvas = document.getElementById("glcanvas");
    //Retrieve Canvas properties
    gl = canvas.getContext("experimental-webgl");
    gl.viewportWidth = canvas.width;
    gl.viewportHeight = canvas.height;
    fingerprint.push(gl.getParameter(gl.VERSION));
    fingerprint.push(gl.getParameter(gl.SHADING_LANGUAGE_VERSION));
    fingerprint.push(gl.getParameter(gl.VENDOR));
    fingerprint.push(gl.getParameter(gl.RENDERER));
    fingerprint.push(gl.getSupportedExtensions().join());
} catch (e) {
    //Get also error because it's will be stable too..
    fingerprint.push(e);
}

//Last and, in order to made this browser unique, generate a random ID that we will store
//in local storage (in order to be persistent after browser close/reopen)
//Add this ID because, in Enterprise, most of the time browser have the same configuration
var browserUniqueID = localStorage.getItem("browserUniqueID");
if (browserUniqueID === null) {
  localStorage.setItem("browserUniqueID", CryptoJS.lib.WordArray.random(80));
  browserUniqueID = localStorage.getItem("browserUniqueID");
}
fingerprint.push(browserUniqueID);

return fingerprint.join();
}

    And finally get the hash and sent to the server.

    //Call the fingerprint dedicated function
var fingerprint = generateFingerprint();
//Use CryptoJS library ot generate a hex encoded string of the hash of the fingerprint
var fingerprintHash = CryptoJS.SHA256(fingerprint);

    Source: https://www.owasp.org/index.php/JSON_Web_Token_(JWT)_Cheat_Sheet_for_Java#Token_sidejacking https://browserleaks.com/canvas

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
  • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 保护模式-系统加载-段寄存器