Loading ...
Sorry, an error occurred while loading the content.
 

Re: collecting unique client (computer) specific info?

Expand Messages
  • Perrin Harkins
    ... Perhaps you could explain what you re trying to do? - Perrin -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info:
    Message 1 of 22 , Sep 1, 2003
      On Tue, 2003-09-02 at 13:24, kfr wrote:
      > Any one out there know of some way, either from java or SLL or some other
      > combination, to collect any kind of machine specific information from a web
      > client logging into a site with SSL (Apache/mod_perl mod_ssl)? I need to
      > find some way to uniquely identify a 'machine', like possible grabbing it's
      > mac address would be ideal but obviously that can't be done ...
      >
      > Any clues?

      Perhaps you could explain what you're trying to do?

      - Perrin


      --
      Reporting bugs: http://perl.apache.org/bugs/
      Mail list info: http://perl.apache.org/maillist/modperl.html
    • Tofu Optimist
      Hi folks -- I m using MP2, and I am trying to avoid loading CGI for 2 reasons: (1) To save memory. (2) When I do load CGI, it fails at the require Apache
      Message 2 of 22 , Sep 2, 2003
        Hi folks --

        I'm using MP2, and I am trying to avoid loading CGI
        for 2 reasons:

        (1) To save memory.

        (2) When I do load CGI, it fails at the "require
        Apache" (line 161), and I'd prefer not to edit CGI on
        my server. Uck.

        Given I'm not loading CGI, how can I determine
        self_url() in MP2?

        I tried something like this
        <code>
        my $self_uri = APR::URI->parse($r->pool,
        $r->uri)->unparse;
        $r->headers_out->set(Location => $self_uri .
        "&r2=1");
        return Apache::REDIRECT;
        </code>
        but this gives me a partial URL, not the full
        expansion.

        Thanks for any assistance.

        -TO


        __________________________________
        Do you Yahoo!?
        Yahoo! SiteBuilder - Free, easy-to-use web site design software
        http://sitebuilder.yahoo.com


        --
        Reporting bugs: http://perl.apache.org/bugs/
        Mail list info: http://perl.apache.org/maillist/modperl.html
      • Perrin Harkins
        ... Okay, that makes sense. Unfortunatey, there s no foolproof way that I m aware of. To begin with, you can try using a cookie. This will stop anyone who
        Message 3 of 22 , Sep 2, 2003
          On Tue, 2003-09-02 at 14:23, kfr wrote:
          > Yes, sorry. I have a site that allows my customers to become members via
          > monthly credit card subscription. The problem is we've been getting
          > fraudulent credit card transactions and need some mechanism to detect a user
          > who is a repeat offender so I can detect them trying to submit yet another
          > bogus CC for access.

          Okay, that makes sense. Unfortunatey, there's no foolproof way that I'm
          aware of. To begin with, you can try using a cookie. This will stop
          anyone who is not very technical. Beyond that, I have heard that
          there's some kind of unique identifier in SSL that you may be able to
          use. I know this because the f5 big/ip load balancers used it. Check
          into that.

          - Perrin


          --
          Reporting bugs: http://perl.apache.org/bugs/
          Mail list info: http://perl.apache.org/maillist/modperl.html
        • Stas Bekman
          ... $r- construct_url; From the C docs: /* Used for constructing self-referencing URLs, and things like SERVER_PORT, * and SERVER_NAME. */ /** * build a fully
          Message 4 of 22 , Sep 2, 2003
            Tofu Optimist wrote:
            > Hi folks --
            >
            > I'm using MP2, and I am trying to avoid loading CGI
            > for 2 reasons:
            >
            > (1) To save memory.
            >
            > (2) When I do load CGI, it fails at the "require
            > Apache" (line 161), and I'd prefer not to edit CGI on
            > my server. Uck.
            >
            > Given I'm not loading CGI, how can I determine
            > self_url() in MP2?
            >
            > I tried something like this
            > <code>
            > my $self_uri = APR::URI->parse($r->pool,
            > $r->uri)->unparse;
            > $r->headers_out->set(Location => $self_uri .
            > "&r2=1");
            > return Apache::REDIRECT;
            > </code>
            > but this gives me a partial URL, not the full
            > expansion.

            $r->construct_url;

            From the C docs:

            /* Used for constructing self-referencing URLs, and things like SERVER_PORT,
            * and SERVER_NAME.
            */
            /**
            * build a fully qualified URL from the uri and information in the request rec
            * @param p The pool to allocate the URL from
            * @param uri The path to the requested file
            * @param r The current request
            * @return A fully qualified URL
            * @deffunc char *ap_construct_url(apr_pool_t *p, const char *uri,
            request_rec *r)
            */
            AP_DECLARE(char *) ap_construct_url(apr_pool_t *p, const char *uri,
            request_rec *r);

            __________________________________________________________________
            Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
            http://stason.org/ mod_perl Guide ---> http://perl.apache.org
            mailto:stas@... http://use.perl.org http://apacheweek.com
            http://modperlbook.org http://apache.org http://ticketmaster.com



            --
            Reporting bugs: http://perl.apache.org/bugs/
            Mail list info: http://perl.apache.org/maillist/modperl.html
          • Tofu Optimist
            Thanks. How do I call construct_uri? Neither my $uri = APR::URI- parse($r- pool, $r- construct_url($r- pool, $r- uri, $r)); $uri .= r2=1 ;
            Message 5 of 22 , Sep 2, 2003
              Thanks. How do I call construct_uri?

              Neither

              my $uri = APR::URI->parse($r->pool,
              $r->construct_url($r->pool, $r->uri, $r));
              $uri .= "r2=1";
              $r->headers_out->set(Location => $uri .
              "&r2=1");
              return Apache::REDIRECT;


              nor

              my $uri = APR::URI->parse($r->pool,
              $r->construct_url);
              $uri .= "r2=1";
              $r->headers_out->set(Location => $uri .
              "&r2=1");
              return Apache::REDIRECT;

              works.

              Thanks Stas for all your patience and help!



              --- Stas Bekman <stas@...> wrote:
              > Tofu Optimist wrote:
              > > Hi folks --
              > >
              > > I'm using MP2, and I am trying to avoid loading
              > CGI
              > > for 2 reasons:
              > >
              > > (1) To save memory.
              > >
              > > (2) When I do load CGI, it fails at the "require
              > > Apache" (line 161), and I'd prefer not to edit CGI
              > on
              > > my server. Uck.
              > >
              > > Given I'm not loading CGI, how can I determine
              > > self_url() in MP2?
              > >
              > > I tried something like this
              > > <code>
              > > my $self_uri = APR::URI->parse($r->pool,
              > > $r->uri)->unparse;
              > > $r->headers_out->set(Location => $self_uri
              > .
              > > "&r2=1");
              > > return Apache::REDIRECT;
              > > </code>
              > > but this gives me a partial URL, not the full
              > > expansion.
              >
              > $r->construct_url;
              >
              > From the C docs:
              >
              > /* Used for constructing self-referencing URLs, and
              > things like SERVER_PORT,
              > * and SERVER_NAME.
              > */
              > /**
              > * build a fully qualified URL from the uri and
              > information in the request rec
              > * @param p The pool to allocate the URL from
              > * @param uri The path to the requested file
              > * @param r The current request
              > * @return A fully qualified URL
              > * @deffunc char *ap_construct_url(apr_pool_t *p,
              > const char *uri,
              > request_rec *r)
              > */
              > AP_DECLARE(char *) ap_construct_url(apr_pool_t *p,
              > const char *uri,
              > request_rec *r);
              >
              >
              __________________________________________________________________
              > Stas Bekman JAm_pH ------> Just Another
              > mod_perl Hacker
              > http://stason.org/ mod_perl Guide --->
              > http://perl.apache.org
              > mailto:stas@... http://use.perl.org
              > http://apacheweek.com
              > http://modperlbook.org http://apache.org
              > http://ticketmaster.com
              >
              >
              >
              > --
              > Reporting bugs: http://perl.apache.org/bugs/
              > Mail list info:
              > http://perl.apache.org/maillist/modperl.html
              >


              __________________________________
              Do you Yahoo!?
              Yahoo! SiteBuilder - Free, easy-to-use web site design software
              http://sitebuilder.yahoo.com


              --
              Reporting bugs: http://perl.apache.org/bugs/
              Mail list info: http://perl.apache.org/maillist/modperl.html
            • Stas Bekman
              ... You just call $r- construct_url. In your example that would be: $r- headers_out- set(Location = $r- construct_url . &r2=1 );
              Message 6 of 22 , Sep 2, 2003
                Tofu Optimist wrote:
                > Thanks. How do I call construct_uri?

                You just call $r->construct_url. In your example that would be:

                $r->headers_out->set(Location => $r->construct_url . "&r2=1");

                __________________________________________________________________
                Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                mailto:stas@... http://use.perl.org http://apacheweek.com
                http://modperlbook.org http://apache.org http://ticketmaster.com



                --
                Reporting bugs: http://perl.apache.org/bugs/
                Mail list info: http://perl.apache.org/maillist/modperl.html
              • Stas Bekman
                [please keep the thread on the list!] ... in mp2 you need to load modules that contain the methods that you want to use: % lookup construct_url To use method
                Message 7 of 22 , Sep 2, 2003
                  [please keep the thread on the list!]

                  Tofu Optimist wrote:
                  > :(
                  >
                  > [Tue Sep 02 15:22:53 2003] [error] [client
                  > 192.168.1.2] Can't locate object method
                  > "construct_url" via package "Apache::RequestRec" at
                  > /home/xxxxxxxx/mod-perl/Redirect.pm line 59.
                  >
                  > Do I need to load it or something?

                  in mp2 you need to load modules that contain the methods that you want to use:

                  % lookup construct_url
                  To use method 'construct_url' add:
                  use Apache::URI ();

                  See:
                  http://perl.apache.org/docs/2.0/user/porting/porting.html#Porting_a_Perl_Module_to_Run_under_mod_perl_2_0


                  >>You just call $r->construct_url. In your example
                  >>that would be:
                  >>
                  >> $r->headers_out->set(Location =>
                  >>$r->construct_url . "&r2=1");
                  >>
                  >>
                  >
                  > __________________________________________________________________
                  >
                  >>Stas Bekman JAm_pH ------> Just Another
                  >>mod_perl Hacker
                  >>http://stason.org/ mod_perl Guide --->
                  >>http://perl.apache.org
                  >>mailto:stas@... http://use.perl.org
                  >>http://apacheweek.com
                  >>http://modperlbook.org http://apache.org
                  >>http://ticketmaster.com
                  >>
                  >>
                  >>
                  >>--
                  >>Reporting bugs: http://perl.apache.org/bugs/
                  >>Mail list info:
                  >>http://perl.apache.org/maillist/modperl.html
                  >>
                  >
                  >
                  >
                  > __________________________________
                  > Do you Yahoo!?
                  > Yahoo! SiteBuilder - Free, easy-to-use web site design software
                  > http://sitebuilder.yahoo.com


                  --


                  __________________________________________________________________
                  Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                  http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                  mailto:stas@... http://use.perl.org http://apacheweek.com
                  http://modperlbook.org http://apache.org http://ticketmaster.com



                  --
                  Reporting bugs: http://perl.apache.org/bugs/
                  Mail list info: http://perl.apache.org/maillist/modperl.html
                • Roger Davenport
                  Apologies.. yes, this was meant for the list!! Roger
                  Message 8 of 22 , Sep 2, 2003
                    Apologies..  yes, this was meant for the list!!

                    Roger

                    On Tue, 2003-09-02 at 14:29, Perrin Harkins wrote:
                    Did you mean to send this to the list?  It only went to me.
                    
                    On Tue, 2003-09-02 at 15:23, Roger Davenport wrote:
                    > The session ID only lasts a certain time.. anywhere from a couple of
                    > minutes to a couple of days (varies widely).  SSLv2 is 16 bytes, and
                    > SSLv3/TLS is anywhere from 1 to 32 bytes.  The session ID is
                    > essentially a value which saves the client and server from having to
                    > handshake every time.  But if you get a matching value, chances are
                    > that you have the same machine if it's within a reasonable amount of
                    > time.
                    > 
                    > Roger
                    > 
                    > On Tue, 2003-09-02 at 13:40, Perrin Harkins wrote: 
                    > > On Tue, 2003-09-02 at 14:23, kfr wrote:
                    > > > Yes, sorry.  I have a site that allows my customers to become members via
                    > > > monthly credit card subscription.  The problem is we've been getting
                    > > > fraudulent credit card transactions and need some mechanism to detect a user
                    > > > who is a repeat offender so I can detect them trying to submit yet another
                    > > > bogus CC for access.
                    > > 
                    > > Okay, that makes sense.  Unfortunatey, there's no foolproof way that I'm
                    > > aware of.  To begin with, you can try using a cookie.  This will stop
                    > > anyone who is not very technical.  Beyond that, I have heard that
                    > > there's some kind of unique identifier in SSL that you may be able to
                    > > use.  I know this because the f5 big/ip load balancers used it.  Check
                    > > into that.
                    > > 
                    > > - Perrin
                  • kfr
                    Anyone know how to capture the UUID from a request? I ve been looking all over the place and cant seem to find any reference to it anywhere ... K ... From:
                    Message 9 of 22 , Sep 3, 2003
                      Anyone know how to capture the UUID from a request? I've been looking all over the place and cant seem to find any reference to it anywhere ...

                      K





                      -----Original Message-----
                      From: Roger Davenport [mailto:rdavenport@...]
                      Sent: Tuesday, September 02, 2003 12:55 PM
                      To: Perrin Harkins
                      Cc: modperl@...
                      Subject: RE: collecting unique client (computer) specific info?


                      Apologies.. yes, this was meant for the list!!

                      Roger

                      On Tue, 2003-09-02 at 14:29, Perrin Harkins wrote:
                      Did you mean to send this to the list? It only went to me.

                      On Tue, 2003-09-02 at 15:23, Roger Davenport wrote:
                      > The session ID only lasts a certain time.. anywhere from a couple of
                      > minutes to a couple of days (varies widely). SSLv2 is 16 bytes, and
                      > SSLv3/TLS is anywhere from 1 to 32 bytes. The session ID is
                      > essentially a value which saves the client and server from having to
                      > handshake every time. But if you get a matching value, chances are
                      > that you have the same machine if it's within a reasonable amount of
                      > time.
                      >
                      > Roger
                      >
                      > On Tue, 2003-09-02 at 13:40, Perrin Harkins wrote:
                      > > On Tue, 2003-09-02 at 14:23, kfr wrote:
                      > > > Yes, sorry. I have a site that allows my customers to become members via
                      > > > monthly credit card subscription. The problem is we've been getting
                      > > > fraudulent credit card transactions and need some mechanism to detect a user
                      > > > who is a repeat offender so I can detect them trying to submit yet another
                      > > > bogus CC for access.
                      > >
                      > > Okay, that makes sense. Unfortunatey, there's no foolproof way that I'm
                      > > aware of. To begin with, you can try using a cookie. This will stop
                      > > anyone who is not very technical. Beyond that, I have heard that
                      > > there's some kind of unique identifier in SSL that you may be able to
                      > > use. I know this because the f5 big/ip load balancers used it. Check
                      > > into that.
                      > >
                      > > - Perrin



                      --
                      Reporting bugs: http://perl.apache.org/bugs/
                      Mail list info: http://perl.apache.org/maillist/modperl.html
                    • Perrin Harkins
                      ... According to the mod_ssl manual, it is stored in an environment variable called SSL_SESSION_ID. - Perrin -- Reporting bugs: http://perl.apache.org/bugs/
                      Message 10 of 22 , Sep 3, 2003
                        On Wed, 2003-09-03 at 12:22, kfr wrote:
                        > Anyone know how to capture the UUID from a request?

                        According to the mod_ssl manual, it is stored in an environment variable
                        called SSL_SESSION_ID.

                        - Perrin



                        --
                        Reporting bugs: http://perl.apache.org/bugs/
                        Mail list info: http://perl.apache.org/maillist/modperl.html
                      • Ged Haywood
                        Hi there, ... What makes you think there ll be one in there? ... Try Google? 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info:
                        Message 11 of 22 , Sep 3, 2003
                          Hi there,

                          On Wed, 3 Sep 2003, kfr wrote:

                          > Anyone know how to capture the UUID from a request?

                          What makes you think there'll be one in there?

                          > I've been looking all over the place and cant seem to find any
                          > reference to it anywhere ...

                          Try Google?

                          73,
                          Ged.



                          --
                          Reporting bugs: http://perl.apache.org/bugs/
                          Mail list info: http://perl.apache.org/maillist/modperl.html
                        • Stas Bekman
                          ... You mean, you want to generate one? in mod_perl2/apr it d be: use APR::UUID: my $uuid = APR::UUID- new- format; or from the command line (assuming that you
                          Message 12 of 22 , Sep 3, 2003
                            kfr wrote:
                            > Anyone know how to capture the UUID from a request? I've been looking all
                            > over the place and cant seem to find any reference to it anywhere ...

                            You mean, you want to generate one? in mod_perl2/apr it'd be:

                            use APR::UUID:
                            my $uuid = APR::UUID->new->format;

                            or from the command line (assuming that you are using the latest cvs):

                            perl -MApache2 -MAPR -MAPR::UUID -le 'print APR::UUID->new->format'

                            __________________________________________________________________
                            Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                            http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                            mailto:stas@... http://use.perl.org http://apacheweek.com
                            http://modperlbook.org http://apache.org http://ticketmaster.com



                            --
                            Reporting bugs: http://perl.apache.org/bugs/
                            Mail list info: http://perl.apache.org/maillist/modperl.html
                          • John Saylor
                            hi ... is there an equivalent in mod_perl1? -- js -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
                            Message 13 of 22 , Sep 3, 2003
                              hi

                              ( 03.09.03 10:42 -0700 ) Stas Bekman:
                              > You mean, you want to generate one? in mod_perl2/apr it'd be:

                              is there an equivalent in mod_perl1?

                              --
                              \js



                              --
                              Reporting bugs: http://perl.apache.org/bugs/
                              Mail list info: http://perl.apache.org/maillist/modperl.html
                            • Perrin Harkins
                              ... Use Data::UUID from CPAN or mod_unique_id. Note that this (and the mod_perl 2 approach Stas posted) has nothing to do with identifying the actual client,
                              Message 14 of 22 , Sep 3, 2003
                                On Wed, 2003-09-03 at 15:03, John Saylor wrote:
                                > is there an equivalent in mod_perl1?

                                Use Data::UUID from CPAN or mod_unique_id. Note that this (and the
                                mod_perl 2 approach Stas posted) has nothing to do with identifying the
                                actual client, which is what the original question on this thread was
                                about.

                                - Perrin


                                --
                                Reporting bugs: http://perl.apache.org/bugs/
                                Mail list info: http://perl.apache.org/maillist/modperl.html
                              • Stas Bekman
                                ... I m sure there are a few modules on CPAN that you can use. Again I m talking about generating UUD, not extracting the SSL one. Perrin has replied that you
                                Message 15 of 22 , Sep 3, 2003
                                  John Saylor wrote:
                                  > hi
                                  >
                                  > ( 03.09.03 10:42 -0700 ) Stas Bekman:
                                  >
                                  >>You mean, you want to generate one? in mod_perl2/apr it'd be:
                                  >
                                  >
                                  > is there an equivalent in mod_perl1?

                                  I'm sure there are a few modules on CPAN that you can use. Again I'm talking
                                  about generating UUD, not extracting the SSL one. Perrin has replied that you
                                  need $ENV{SSL_SESSION_ID} for the SSL one.




                                  __________________________________________________________________
                                  Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                                  http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                                  mailto:stas@... http://use.perl.org http://apacheweek.com
                                  http://modperlbook.org http://apache.org http://ticketmaster.com



                                  --
                                  Reporting bugs: http://perl.apache.org/bugs/
                                  Mail list info: http://perl.apache.org/maillist/modperl.html
                                • kfr
                                  I m able to see it now ... had to re-compile my server with mod_ssl (not apache-ssl) and I can see the SSL_SESSION_ID. So I take it there s no way to decrypt
                                  Message 16 of 22 , Sep 3, 2003
                                    I'm able to see it now ... had to re-compile my server with mod_ssl (not
                                    apache-ssl) and I can see the SSL_SESSION_ID. So I take it there's no way
                                    to decrypt that and grab anything useful out of it other than it's one time
                                    uniqueness? The doc's state its a combo of a few different parameters
                                    (timestamp, hardware address, etc), which the hardware address is really
                                    what I'm after.

                                    K



                                    >-----Original Message-----
                                    >From: Perrin Harkins [mailto:perrin@...]
                                    >Sent: Wednesday, September 03, 2003 12:28 PM
                                    >To: John Saylor
                                    >Cc: modperl@...
                                    >Subject: Re: collecting unique client (computer) specific info?
                                    >
                                    >
                                    >On Wed, 2003-09-03 at 15:03, John Saylor wrote:
                                    >> is there an equivalent in mod_perl1?
                                    >
                                    >Use Data::UUID from CPAN or mod_unique_id. Note that this (and the
                                    >mod_perl 2 approach Stas posted) has nothing to do with identifying the
                                    >actual client, which is what the original question on this thread was
                                    >about.
                                    >
                                    >- Perrin
                                    >
                                    >
                                    >--
                                    >Reporting bugs: http://perl.apache.org/bugs/
                                    >Mail list info: http://perl.apache.org/maillist/modperl.html
                                    >
                                    >



                                    --
                                    Reporting bugs: http://perl.apache.org/bugs/
                                    Mail list info: http://perl.apache.org/maillist/modperl.html
                                  • Ged Haywood
                                    Hi there, ... What hardware? 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
                                    Message 17 of 22 , Sep 3, 2003
                                      Hi there,

                                      On Wed, 3 Sep 2003, kfr wrote:

                                      > had to re-compile my server with mod_ssl

                                      :)

                                      > the hardware address is really what I'm after.

                                      What hardware?

                                      73,
                                      Ged.



                                      --
                                      Reporting bugs: http://perl.apache.org/bugs/
                                      Mail list info: http://perl.apache.org/maillist/modperl.html
                                    Your message has been successfully submitted and would be delivered to recipients shortly.