Loading ...
Sorry, an error occurred while loading the content.

Re: collecting unique client (computer) specific info?

Expand Messages
  • Perrin Harkins
    ... Perhaps you could explain what you re trying to do? - Perrin -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info:
    Message 1 of 22 , Sep 1, 2003
    • 0 Attachment
      On Tue, 2003-09-02 at 13:24, kfr wrote:
      > Any one out there know of some way, either from java or SLL or some other
      > combination, to collect any kind of machine specific information from a web
      > client logging into a site with SSL (Apache/mod_perl mod_ssl)? I need to
      > find some way to uniquely identify a 'machine', like possible grabbing it's
      > mac address would be ideal but obviously that can't be done ...
      >
      > Any clues?

      Perhaps you could explain what you're trying to do?

      - Perrin


      --
      Reporting bugs: http://perl.apache.org/bugs/
      Mail list info: http://perl.apache.org/maillist/modperl.html
    • Perrin Harkins
      ... Okay, that makes sense. Unfortunatey, there s no foolproof way that I m aware of. To begin with, you can try using a cookie. This will stop anyone who
      Message 2 of 22 , Sep 2, 2003
      • 0 Attachment
        On Tue, 2003-09-02 at 14:23, kfr wrote:
        > Yes, sorry. I have a site that allows my customers to become members via
        > monthly credit card subscription. The problem is we've been getting
        > fraudulent credit card transactions and need some mechanism to detect a user
        > who is a repeat offender so I can detect them trying to submit yet another
        > bogus CC for access.

        Okay, that makes sense. Unfortunatey, there's no foolproof way that I'm
        aware of. To begin with, you can try using a cookie. This will stop
        anyone who is not very technical. Beyond that, I have heard that
        there's some kind of unique identifier in SSL that you may be able to
        use. I know this because the f5 big/ip load balancers used it. Check
        into that.

        - Perrin


        --
        Reporting bugs: http://perl.apache.org/bugs/
        Mail list info: http://perl.apache.org/maillist/modperl.html
      • Stas Bekman
        ... $r- construct_url; From the C docs: /* Used for constructing self-referencing URLs, and things like SERVER_PORT, * and SERVER_NAME. */ /** * build a fully
        Message 3 of 22 , Sep 2, 2003
        • 0 Attachment
          Tofu Optimist wrote:
          > Hi folks --
          >
          > I'm using MP2, and I am trying to avoid loading CGI
          > for 2 reasons:
          >
          > (1) To save memory.
          >
          > (2) When I do load CGI, it fails at the "require
          > Apache" (line 161), and I'd prefer not to edit CGI on
          > my server. Uck.
          >
          > Given I'm not loading CGI, how can I determine
          > self_url() in MP2?
          >
          > I tried something like this
          > <code>
          > my $self_uri = APR::URI->parse($r->pool,
          > $r->uri)->unparse;
          > $r->headers_out->set(Location => $self_uri .
          > "&r2=1");
          > return Apache::REDIRECT;
          > </code>
          > but this gives me a partial URL, not the full
          > expansion.

          $r->construct_url;

          From the C docs:

          /* Used for constructing self-referencing URLs, and things like SERVER_PORT,
          * and SERVER_NAME.
          */
          /**
          * build a fully qualified URL from the uri and information in the request rec
          * @param p The pool to allocate the URL from
          * @param uri The path to the requested file
          * @param r The current request
          * @return A fully qualified URL
          * @deffunc char *ap_construct_url(apr_pool_t *p, const char *uri,
          request_rec *r)
          */
          AP_DECLARE(char *) ap_construct_url(apr_pool_t *p, const char *uri,
          request_rec *r);

          __________________________________________________________________
          Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
          http://stason.org/ mod_perl Guide ---> http://perl.apache.org
          mailto:stas@... http://use.perl.org http://apacheweek.com
          http://modperlbook.org http://apache.org http://ticketmaster.com



          --
          Reporting bugs: http://perl.apache.org/bugs/
          Mail list info: http://perl.apache.org/maillist/modperl.html
        • Tofu Optimist
          Thanks. How do I call construct_uri? Neither my $uri = APR::URI- parse($r- pool, $r- construct_url($r- pool, $r- uri, $r)); $uri .= r2=1 ;
          Message 4 of 22 , Sep 2, 2003
          • 0 Attachment
            Thanks. How do I call construct_uri?

            Neither

            my $uri = APR::URI->parse($r->pool,
            $r->construct_url($r->pool, $r->uri, $r));
            $uri .= "r2=1";
            $r->headers_out->set(Location => $uri .
            "&r2=1");
            return Apache::REDIRECT;


            nor

            my $uri = APR::URI->parse($r->pool,
            $r->construct_url);
            $uri .= "r2=1";
            $r->headers_out->set(Location => $uri .
            "&r2=1");
            return Apache::REDIRECT;

            works.

            Thanks Stas for all your patience and help!



            --- Stas Bekman <stas@...> wrote:
            > Tofu Optimist wrote:
            > > Hi folks --
            > >
            > > I'm using MP2, and I am trying to avoid loading
            > CGI
            > > for 2 reasons:
            > >
            > > (1) To save memory.
            > >
            > > (2) When I do load CGI, it fails at the "require
            > > Apache" (line 161), and I'd prefer not to edit CGI
            > on
            > > my server. Uck.
            > >
            > > Given I'm not loading CGI, how can I determine
            > > self_url() in MP2?
            > >
            > > I tried something like this
            > > <code>
            > > my $self_uri = APR::URI->parse($r->pool,
            > > $r->uri)->unparse;
            > > $r->headers_out->set(Location => $self_uri
            > .
            > > "&r2=1");
            > > return Apache::REDIRECT;
            > > </code>
            > > but this gives me a partial URL, not the full
            > > expansion.
            >
            > $r->construct_url;
            >
            > From the C docs:
            >
            > /* Used for constructing self-referencing URLs, and
            > things like SERVER_PORT,
            > * and SERVER_NAME.
            > */
            > /**
            > * build a fully qualified URL from the uri and
            > information in the request rec
            > * @param p The pool to allocate the URL from
            > * @param uri The path to the requested file
            > * @param r The current request
            > * @return A fully qualified URL
            > * @deffunc char *ap_construct_url(apr_pool_t *p,
            > const char *uri,
            > request_rec *r)
            > */
            > AP_DECLARE(char *) ap_construct_url(apr_pool_t *p,
            > const char *uri,
            > request_rec *r);
            >
            >
            __________________________________________________________________
            > Stas Bekman JAm_pH ------> Just Another
            > mod_perl Hacker
            > http://stason.org/ mod_perl Guide --->
            > http://perl.apache.org
            > mailto:stas@... http://use.perl.org
            > http://apacheweek.com
            > http://modperlbook.org http://apache.org
            > http://ticketmaster.com
            >
            >
            >
            > --
            > Reporting bugs: http://perl.apache.org/bugs/
            > Mail list info:
            > http://perl.apache.org/maillist/modperl.html
            >


            __________________________________
            Do you Yahoo!?
            Yahoo! SiteBuilder - Free, easy-to-use web site design software
            http://sitebuilder.yahoo.com


            --
            Reporting bugs: http://perl.apache.org/bugs/
            Mail list info: http://perl.apache.org/maillist/modperl.html
          • Stas Bekman
            ... You just call $r- construct_url. In your example that would be: $r- headers_out- set(Location = $r- construct_url . &r2=1 );
            Message 5 of 22 , Sep 2, 2003
            • 0 Attachment
              Tofu Optimist wrote:
              > Thanks. How do I call construct_uri?

              You just call $r->construct_url. In your example that would be:

              $r->headers_out->set(Location => $r->construct_url . "&r2=1");

              __________________________________________________________________
              Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
              http://stason.org/ mod_perl Guide ---> http://perl.apache.org
              mailto:stas@... http://use.perl.org http://apacheweek.com
              http://modperlbook.org http://apache.org http://ticketmaster.com



              --
              Reporting bugs: http://perl.apache.org/bugs/
              Mail list info: http://perl.apache.org/maillist/modperl.html
            • Stas Bekman
              [please keep the thread on the list!] ... in mp2 you need to load modules that contain the methods that you want to use: % lookup construct_url To use method
              Message 6 of 22 , Sep 2, 2003
              • 0 Attachment
                [please keep the thread on the list!]

                Tofu Optimist wrote:
                > :(
                >
                > [Tue Sep 02 15:22:53 2003] [error] [client
                > 192.168.1.2] Can't locate object method
                > "construct_url" via package "Apache::RequestRec" at
                > /home/xxxxxxxx/mod-perl/Redirect.pm line 59.
                >
                > Do I need to load it or something?

                in mp2 you need to load modules that contain the methods that you want to use:

                % lookup construct_url
                To use method 'construct_url' add:
                use Apache::URI ();

                See:
                http://perl.apache.org/docs/2.0/user/porting/porting.html#Porting_a_Perl_Module_to_Run_under_mod_perl_2_0


                >>You just call $r->construct_url. In your example
                >>that would be:
                >>
                >> $r->headers_out->set(Location =>
                >>$r->construct_url . "&r2=1");
                >>
                >>
                >
                > __________________________________________________________________
                >
                >>Stas Bekman JAm_pH ------> Just Another
                >>mod_perl Hacker
                >>http://stason.org/ mod_perl Guide --->
                >>http://perl.apache.org
                >>mailto:stas@... http://use.perl.org
                >>http://apacheweek.com
                >>http://modperlbook.org http://apache.org
                >>http://ticketmaster.com
                >>
                >>
                >>
                >>--
                >>Reporting bugs: http://perl.apache.org/bugs/
                >>Mail list info:
                >>http://perl.apache.org/maillist/modperl.html
                >>
                >
                >
                >
                > __________________________________
                > Do you Yahoo!?
                > Yahoo! SiteBuilder - Free, easy-to-use web site design software
                > http://sitebuilder.yahoo.com


                --


                __________________________________________________________________
                Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                mailto:stas@... http://use.perl.org http://apacheweek.com
                http://modperlbook.org http://apache.org http://ticketmaster.com



                --
                Reporting bugs: http://perl.apache.org/bugs/
                Mail list info: http://perl.apache.org/maillist/modperl.html
              • Roger Davenport
                Apologies.. yes, this was meant for the list!! Roger
                Message 7 of 22 , Sep 2, 2003
                • 0 Attachment
                  Apologies..  yes, this was meant for the list!!

                  Roger

                  On Tue, 2003-09-02 at 14:29, Perrin Harkins wrote:
                  Did you mean to send this to the list?  It only went to me.
                  
                  On Tue, 2003-09-02 at 15:23, Roger Davenport wrote:
                  > The session ID only lasts a certain time.. anywhere from a couple of
                  > minutes to a couple of days (varies widely).  SSLv2 is 16 bytes, and
                  > SSLv3/TLS is anywhere from 1 to 32 bytes.  The session ID is
                  > essentially a value which saves the client and server from having to
                  > handshake every time.  But if you get a matching value, chances are
                  > that you have the same machine if it's within a reasonable amount of
                  > time.
                  > 
                  > Roger
                  > 
                  > On Tue, 2003-09-02 at 13:40, Perrin Harkins wrote: 
                  > > On Tue, 2003-09-02 at 14:23, kfr wrote:
                  > > > Yes, sorry.  I have a site that allows my customers to become members via
                  > > > monthly credit card subscription.  The problem is we've been getting
                  > > > fraudulent credit card transactions and need some mechanism to detect a user
                  > > > who is a repeat offender so I can detect them trying to submit yet another
                  > > > bogus CC for access.
                  > > 
                  > > Okay, that makes sense.  Unfortunatey, there's no foolproof way that I'm
                  > > aware of.  To begin with, you can try using a cookie.  This will stop
                  > > anyone who is not very technical.  Beyond that, I have heard that
                  > > there's some kind of unique identifier in SSL that you may be able to
                  > > use.  I know this because the f5 big/ip load balancers used it.  Check
                  > > into that.
                  > > 
                  > > - Perrin
                • kfr
                  Anyone know how to capture the UUID from a request? I ve been looking all over the place and cant seem to find any reference to it anywhere ... K ... From:
                  Message 8 of 22 , Sep 3, 2003
                  • 0 Attachment
                    Anyone know how to capture the UUID from a request? I've been looking all over the place and cant seem to find any reference to it anywhere ...

                    K





                    -----Original Message-----
                    From: Roger Davenport [mailto:rdavenport@...]
                    Sent: Tuesday, September 02, 2003 12:55 PM
                    To: Perrin Harkins
                    Cc: modperl@...
                    Subject: RE: collecting unique client (computer) specific info?


                    Apologies.. yes, this was meant for the list!!

                    Roger

                    On Tue, 2003-09-02 at 14:29, Perrin Harkins wrote:
                    Did you mean to send this to the list? It only went to me.

                    On Tue, 2003-09-02 at 15:23, Roger Davenport wrote:
                    > The session ID only lasts a certain time.. anywhere from a couple of
                    > minutes to a couple of days (varies widely). SSLv2 is 16 bytes, and
                    > SSLv3/TLS is anywhere from 1 to 32 bytes. The session ID is
                    > essentially a value which saves the client and server from having to
                    > handshake every time. But if you get a matching value, chances are
                    > that you have the same machine if it's within a reasonable amount of
                    > time.
                    >
                    > Roger
                    >
                    > On Tue, 2003-09-02 at 13:40, Perrin Harkins wrote:
                    > > On Tue, 2003-09-02 at 14:23, kfr wrote:
                    > > > Yes, sorry. I have a site that allows my customers to become members via
                    > > > monthly credit card subscription. The problem is we've been getting
                    > > > fraudulent credit card transactions and need some mechanism to detect a user
                    > > > who is a repeat offender so I can detect them trying to submit yet another
                    > > > bogus CC for access.
                    > >
                    > > Okay, that makes sense. Unfortunatey, there's no foolproof way that I'm
                    > > aware of. To begin with, you can try using a cookie. This will stop
                    > > anyone who is not very technical. Beyond that, I have heard that
                    > > there's some kind of unique identifier in SSL that you may be able to
                    > > use. I know this because the f5 big/ip load balancers used it. Check
                    > > into that.
                    > >
                    > > - Perrin



                    --
                    Reporting bugs: http://perl.apache.org/bugs/
                    Mail list info: http://perl.apache.org/maillist/modperl.html
                  • Perrin Harkins
                    ... According to the mod_ssl manual, it is stored in an environment variable called SSL_SESSION_ID. - Perrin -- Reporting bugs: http://perl.apache.org/bugs/
                    Message 9 of 22 , Sep 3, 2003
                    • 0 Attachment
                      On Wed, 2003-09-03 at 12:22, kfr wrote:
                      > Anyone know how to capture the UUID from a request?

                      According to the mod_ssl manual, it is stored in an environment variable
                      called SSL_SESSION_ID.

                      - Perrin



                      --
                      Reporting bugs: http://perl.apache.org/bugs/
                      Mail list info: http://perl.apache.org/maillist/modperl.html
                    • Ged Haywood
                      Hi there, ... What makes you think there ll be one in there? ... Try Google? 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info:
                      Message 10 of 22 , Sep 3, 2003
                      • 0 Attachment
                        Hi there,

                        On Wed, 3 Sep 2003, kfr wrote:

                        > Anyone know how to capture the UUID from a request?

                        What makes you think there'll be one in there?

                        > I've been looking all over the place and cant seem to find any
                        > reference to it anywhere ...

                        Try Google?

                        73,
                        Ged.



                        --
                        Reporting bugs: http://perl.apache.org/bugs/
                        Mail list info: http://perl.apache.org/maillist/modperl.html
                      • Stas Bekman
                        ... You mean, you want to generate one? in mod_perl2/apr it d be: use APR::UUID: my $uuid = APR::UUID- new- format; or from the command line (assuming that you
                        Message 11 of 22 , Sep 3, 2003
                        • 0 Attachment
                          kfr wrote:
                          > Anyone know how to capture the UUID from a request? I've been looking all
                          > over the place and cant seem to find any reference to it anywhere ...

                          You mean, you want to generate one? in mod_perl2/apr it'd be:

                          use APR::UUID:
                          my $uuid = APR::UUID->new->format;

                          or from the command line (assuming that you are using the latest cvs):

                          perl -MApache2 -MAPR -MAPR::UUID -le 'print APR::UUID->new->format'

                          __________________________________________________________________
                          Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                          http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                          mailto:stas@... http://use.perl.org http://apacheweek.com
                          http://modperlbook.org http://apache.org http://ticketmaster.com



                          --
                          Reporting bugs: http://perl.apache.org/bugs/
                          Mail list info: http://perl.apache.org/maillist/modperl.html
                        • John Saylor
                          hi ... is there an equivalent in mod_perl1? -- js -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
                          Message 12 of 22 , Sep 3, 2003
                          • 0 Attachment
                            hi

                            ( 03.09.03 10:42 -0700 ) Stas Bekman:
                            > You mean, you want to generate one? in mod_perl2/apr it'd be:

                            is there an equivalent in mod_perl1?

                            --
                            \js



                            --
                            Reporting bugs: http://perl.apache.org/bugs/
                            Mail list info: http://perl.apache.org/maillist/modperl.html
                          • Perrin Harkins
                            ... Use Data::UUID from CPAN or mod_unique_id. Note that this (and the mod_perl 2 approach Stas posted) has nothing to do with identifying the actual client,
                            Message 13 of 22 , Sep 3, 2003
                            • 0 Attachment
                              On Wed, 2003-09-03 at 15:03, John Saylor wrote:
                              > is there an equivalent in mod_perl1?

                              Use Data::UUID from CPAN or mod_unique_id. Note that this (and the
                              mod_perl 2 approach Stas posted) has nothing to do with identifying the
                              actual client, which is what the original question on this thread was
                              about.

                              - Perrin


                              --
                              Reporting bugs: http://perl.apache.org/bugs/
                              Mail list info: http://perl.apache.org/maillist/modperl.html
                            • Stas Bekman
                              ... I m sure there are a few modules on CPAN that you can use. Again I m talking about generating UUD, not extracting the SSL one. Perrin has replied that you
                              Message 14 of 22 , Sep 3, 2003
                              • 0 Attachment
                                John Saylor wrote:
                                > hi
                                >
                                > ( 03.09.03 10:42 -0700 ) Stas Bekman:
                                >
                                >>You mean, you want to generate one? in mod_perl2/apr it'd be:
                                >
                                >
                                > is there an equivalent in mod_perl1?

                                I'm sure there are a few modules on CPAN that you can use. Again I'm talking
                                about generating UUD, not extracting the SSL one. Perrin has replied that you
                                need $ENV{SSL_SESSION_ID} for the SSL one.




                                __________________________________________________________________
                                Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                                http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                                mailto:stas@... http://use.perl.org http://apacheweek.com
                                http://modperlbook.org http://apache.org http://ticketmaster.com



                                --
                                Reporting bugs: http://perl.apache.org/bugs/
                                Mail list info: http://perl.apache.org/maillist/modperl.html
                              • kfr
                                I m able to see it now ... had to re-compile my server with mod_ssl (not apache-ssl) and I can see the SSL_SESSION_ID. So I take it there s no way to decrypt
                                Message 15 of 22 , Sep 3, 2003
                                • 0 Attachment
                                  I'm able to see it now ... had to re-compile my server with mod_ssl (not
                                  apache-ssl) and I can see the SSL_SESSION_ID. So I take it there's no way
                                  to decrypt that and grab anything useful out of it other than it's one time
                                  uniqueness? The doc's state its a combo of a few different parameters
                                  (timestamp, hardware address, etc), which the hardware address is really
                                  what I'm after.

                                  K



                                  >-----Original Message-----
                                  >From: Perrin Harkins [mailto:perrin@...]
                                  >Sent: Wednesday, September 03, 2003 12:28 PM
                                  >To: John Saylor
                                  >Cc: modperl@...
                                  >Subject: Re: collecting unique client (computer) specific info?
                                  >
                                  >
                                  >On Wed, 2003-09-03 at 15:03, John Saylor wrote:
                                  >> is there an equivalent in mod_perl1?
                                  >
                                  >Use Data::UUID from CPAN or mod_unique_id. Note that this (and the
                                  >mod_perl 2 approach Stas posted) has nothing to do with identifying the
                                  >actual client, which is what the original question on this thread was
                                  >about.
                                  >
                                  >- Perrin
                                  >
                                  >
                                  >--
                                  >Reporting bugs: http://perl.apache.org/bugs/
                                  >Mail list info: http://perl.apache.org/maillist/modperl.html
                                  >
                                  >



                                  --
                                  Reporting bugs: http://perl.apache.org/bugs/
                                  Mail list info: http://perl.apache.org/maillist/modperl.html
                                • Ged Haywood
                                  Hi there, ... What hardware? 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
                                  Message 16 of 22 , Sep 3, 2003
                                  • 0 Attachment
                                    Hi there,

                                    On Wed, 3 Sep 2003, kfr wrote:

                                    > had to re-compile my server with mod_ssl

                                    :)

                                    > the hardware address is really what I'm after.

                                    What hardware?

                                    73,
                                    Ged.



                                    --
                                    Reporting bugs: http://perl.apache.org/bugs/
                                    Mail list info: http://perl.apache.org/maillist/modperl.html
                                  Your message has been successfully submitted and would be delivered to recipients shortly.