Loading ...
Sorry, an error occurred while loading the content.

RE: collecting unique client (computer) specific info?

Expand Messages
  • Perrin Harkins
    ... Okay, that makes sense. Unfortunatey, there s no foolproof way that I m aware of. To begin with, you can try using a cookie. This will stop anyone who
    Message 1 of 22 , Sep 2, 2003
    • 0 Attachment
      On Tue, 2003-09-02 at 14:23, kfr wrote:
      > Yes, sorry. I have a site that allows my customers to become members via
      > monthly credit card subscription. The problem is we've been getting
      > fraudulent credit card transactions and need some mechanism to detect a user
      > who is a repeat offender so I can detect them trying to submit yet another
      > bogus CC for access.

      Okay, that makes sense. Unfortunatey, there's no foolproof way that I'm
      aware of. To begin with, you can try using a cookie. This will stop
      anyone who is not very technical. Beyond that, I have heard that
      there's some kind of unique identifier in SSL that you may be able to
      use. I know this because the f5 big/ip load balancers used it. Check
      into that.

      - Perrin


      --
      Reporting bugs: http://perl.apache.org/bugs/
      Mail list info: http://perl.apache.org/maillist/modperl.html
    • Tofu Optimist
      Thanks. How do I call construct_uri? Neither my $uri = APR::URI- parse($r- pool, $r- construct_url($r- pool, $r- uri, $r)); $uri .= r2=1 ;
      Message 2 of 22 , Sep 2, 2003
      • 0 Attachment
        Thanks. How do I call construct_uri?

        Neither

        my $uri = APR::URI->parse($r->pool,
        $r->construct_url($r->pool, $r->uri, $r));
        $uri .= "r2=1";
        $r->headers_out->set(Location => $uri .
        "&r2=1");
        return Apache::REDIRECT;


        nor

        my $uri = APR::URI->parse($r->pool,
        $r->construct_url);
        $uri .= "r2=1";
        $r->headers_out->set(Location => $uri .
        "&r2=1");
        return Apache::REDIRECT;

        works.

        Thanks Stas for all your patience and help!



        --- Stas Bekman <stas@...> wrote:
        > Tofu Optimist wrote:
        > > Hi folks --
        > >
        > > I'm using MP2, and I am trying to avoid loading
        > CGI
        > > for 2 reasons:
        > >
        > > (1) To save memory.
        > >
        > > (2) When I do load CGI, it fails at the "require
        > > Apache" (line 161), and I'd prefer not to edit CGI
        > on
        > > my server. Uck.
        > >
        > > Given I'm not loading CGI, how can I determine
        > > self_url() in MP2?
        > >
        > > I tried something like this
        > > <code>
        > > my $self_uri = APR::URI->parse($r->pool,
        > > $r->uri)->unparse;
        > > $r->headers_out->set(Location => $self_uri
        > .
        > > "&r2=1");
        > > return Apache::REDIRECT;
        > > </code>
        > > but this gives me a partial URL, not the full
        > > expansion.
        >
        > $r->construct_url;
        >
        > From the C docs:
        >
        > /* Used for constructing self-referencing URLs, and
        > things like SERVER_PORT,
        > * and SERVER_NAME.
        > */
        > /**
        > * build a fully qualified URL from the uri and
        > information in the request rec
        > * @param p The pool to allocate the URL from
        > * @param uri The path to the requested file
        > * @param r The current request
        > * @return A fully qualified URL
        > * @deffunc char *ap_construct_url(apr_pool_t *p,
        > const char *uri,
        > request_rec *r)
        > */
        > AP_DECLARE(char *) ap_construct_url(apr_pool_t *p,
        > const char *uri,
        > request_rec *r);
        >
        >
        __________________________________________________________________
        > Stas Bekman JAm_pH ------> Just Another
        > mod_perl Hacker
        > http://stason.org/ mod_perl Guide --->
        > http://perl.apache.org
        > mailto:stas@... http://use.perl.org
        > http://apacheweek.com
        > http://modperlbook.org http://apache.org
        > http://ticketmaster.com
        >
        >
        >
        > --
        > Reporting bugs: http://perl.apache.org/bugs/
        > Mail list info:
        > http://perl.apache.org/maillist/modperl.html
        >


        __________________________________
        Do you Yahoo!?
        Yahoo! SiteBuilder - Free, easy-to-use web site design software
        http://sitebuilder.yahoo.com


        --
        Reporting bugs: http://perl.apache.org/bugs/
        Mail list info: http://perl.apache.org/maillist/modperl.html
      • Stas Bekman
        ... You just call $r- construct_url. In your example that would be: $r- headers_out- set(Location = $r- construct_url . &r2=1 );
        Message 3 of 22 , Sep 2, 2003
        • 0 Attachment
          Tofu Optimist wrote:
          > Thanks. How do I call construct_uri?

          You just call $r->construct_url. In your example that would be:

          $r->headers_out->set(Location => $r->construct_url . "&r2=1");

          __________________________________________________________________
          Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
          http://stason.org/ mod_perl Guide ---> http://perl.apache.org
          mailto:stas@... http://use.perl.org http://apacheweek.com
          http://modperlbook.org http://apache.org http://ticketmaster.com



          --
          Reporting bugs: http://perl.apache.org/bugs/
          Mail list info: http://perl.apache.org/maillist/modperl.html
        • Stas Bekman
          [please keep the thread on the list!] ... in mp2 you need to load modules that contain the methods that you want to use: % lookup construct_url To use method
          Message 4 of 22 , Sep 2, 2003
          • 0 Attachment
            [please keep the thread on the list!]

            Tofu Optimist wrote:
            > :(
            >
            > [Tue Sep 02 15:22:53 2003] [error] [client
            > 192.168.1.2] Can't locate object method
            > "construct_url" via package "Apache::RequestRec" at
            > /home/xxxxxxxx/mod-perl/Redirect.pm line 59.
            >
            > Do I need to load it or something?

            in mp2 you need to load modules that contain the methods that you want to use:

            % lookup construct_url
            To use method 'construct_url' add:
            use Apache::URI ();

            See:
            http://perl.apache.org/docs/2.0/user/porting/porting.html#Porting_a_Perl_Module_to_Run_under_mod_perl_2_0


            >>You just call $r->construct_url. In your example
            >>that would be:
            >>
            >> $r->headers_out->set(Location =>
            >>$r->construct_url . "&r2=1");
            >>
            >>
            >
            > __________________________________________________________________
            >
            >>Stas Bekman JAm_pH ------> Just Another
            >>mod_perl Hacker
            >>http://stason.org/ mod_perl Guide --->
            >>http://perl.apache.org
            >>mailto:stas@... http://use.perl.org
            >>http://apacheweek.com
            >>http://modperlbook.org http://apache.org
            >>http://ticketmaster.com
            >>
            >>
            >>
            >>--
            >>Reporting bugs: http://perl.apache.org/bugs/
            >>Mail list info:
            >>http://perl.apache.org/maillist/modperl.html
            >>
            >
            >
            >
            > __________________________________
            > Do you Yahoo!?
            > Yahoo! SiteBuilder - Free, easy-to-use web site design software
            > http://sitebuilder.yahoo.com


            --


            __________________________________________________________________
            Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
            http://stason.org/ mod_perl Guide ---> http://perl.apache.org
            mailto:stas@... http://use.perl.org http://apacheweek.com
            http://modperlbook.org http://apache.org http://ticketmaster.com



            --
            Reporting bugs: http://perl.apache.org/bugs/
            Mail list info: http://perl.apache.org/maillist/modperl.html
          • Roger Davenport
            Apologies.. yes, this was meant for the list!! Roger
            Message 5 of 22 , Sep 2, 2003
            • 0 Attachment
              Apologies..  yes, this was meant for the list!!

              Roger

              On Tue, 2003-09-02 at 14:29, Perrin Harkins wrote:
              Did you mean to send this to the list?  It only went to me.
              
              On Tue, 2003-09-02 at 15:23, Roger Davenport wrote:
              > The session ID only lasts a certain time.. anywhere from a couple of
              > minutes to a couple of days (varies widely).  SSLv2 is 16 bytes, and
              > SSLv3/TLS is anywhere from 1 to 32 bytes.  The session ID is
              > essentially a value which saves the client and server from having to
              > handshake every time.  But if you get a matching value, chances are
              > that you have the same machine if it's within a reasonable amount of
              > time.
              > 
              > Roger
              > 
              > On Tue, 2003-09-02 at 13:40, Perrin Harkins wrote: 
              > > On Tue, 2003-09-02 at 14:23, kfr wrote:
              > > > Yes, sorry.  I have a site that allows my customers to become members via
              > > > monthly credit card subscription.  The problem is we've been getting
              > > > fraudulent credit card transactions and need some mechanism to detect a user
              > > > who is a repeat offender so I can detect them trying to submit yet another
              > > > bogus CC for access.
              > > 
              > > Okay, that makes sense.  Unfortunatey, there's no foolproof way that I'm
              > > aware of.  To begin with, you can try using a cookie.  This will stop
              > > anyone who is not very technical.  Beyond that, I have heard that
              > > there's some kind of unique identifier in SSL that you may be able to
              > > use.  I know this because the f5 big/ip load balancers used it.  Check
              > > into that.
              > > 
              > > - Perrin
            • kfr
              Anyone know how to capture the UUID from a request? I ve been looking all over the place and cant seem to find any reference to it anywhere ... K ... From:
              Message 6 of 22 , Sep 3, 2003
              • 0 Attachment
                Anyone know how to capture the UUID from a request? I've been looking all over the place and cant seem to find any reference to it anywhere ...

                K





                -----Original Message-----
                From: Roger Davenport [mailto:rdavenport@...]
                Sent: Tuesday, September 02, 2003 12:55 PM
                To: Perrin Harkins
                Cc: modperl@...
                Subject: RE: collecting unique client (computer) specific info?


                Apologies.. yes, this was meant for the list!!

                Roger

                On Tue, 2003-09-02 at 14:29, Perrin Harkins wrote:
                Did you mean to send this to the list? It only went to me.

                On Tue, 2003-09-02 at 15:23, Roger Davenport wrote:
                > The session ID only lasts a certain time.. anywhere from a couple of
                > minutes to a couple of days (varies widely). SSLv2 is 16 bytes, and
                > SSLv3/TLS is anywhere from 1 to 32 bytes. The session ID is
                > essentially a value which saves the client and server from having to
                > handshake every time. But if you get a matching value, chances are
                > that you have the same machine if it's within a reasonable amount of
                > time.
                >
                > Roger
                >
                > On Tue, 2003-09-02 at 13:40, Perrin Harkins wrote:
                > > On Tue, 2003-09-02 at 14:23, kfr wrote:
                > > > Yes, sorry. I have a site that allows my customers to become members via
                > > > monthly credit card subscription. The problem is we've been getting
                > > > fraudulent credit card transactions and need some mechanism to detect a user
                > > > who is a repeat offender so I can detect them trying to submit yet another
                > > > bogus CC for access.
                > >
                > > Okay, that makes sense. Unfortunatey, there's no foolproof way that I'm
                > > aware of. To begin with, you can try using a cookie. This will stop
                > > anyone who is not very technical. Beyond that, I have heard that
                > > there's some kind of unique identifier in SSL that you may be able to
                > > use. I know this because the f5 big/ip load balancers used it. Check
                > > into that.
                > >
                > > - Perrin



                --
                Reporting bugs: http://perl.apache.org/bugs/
                Mail list info: http://perl.apache.org/maillist/modperl.html
              • Perrin Harkins
                ... According to the mod_ssl manual, it is stored in an environment variable called SSL_SESSION_ID. - Perrin -- Reporting bugs: http://perl.apache.org/bugs/
                Message 7 of 22 , Sep 3, 2003
                • 0 Attachment
                  On Wed, 2003-09-03 at 12:22, kfr wrote:
                  > Anyone know how to capture the UUID from a request?

                  According to the mod_ssl manual, it is stored in an environment variable
                  called SSL_SESSION_ID.

                  - Perrin



                  --
                  Reporting bugs: http://perl.apache.org/bugs/
                  Mail list info: http://perl.apache.org/maillist/modperl.html
                • Ged Haywood
                  Hi there, ... What makes you think there ll be one in there? ... Try Google? 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info:
                  Message 8 of 22 , Sep 3, 2003
                  • 0 Attachment
                    Hi there,

                    On Wed, 3 Sep 2003, kfr wrote:

                    > Anyone know how to capture the UUID from a request?

                    What makes you think there'll be one in there?

                    > I've been looking all over the place and cant seem to find any
                    > reference to it anywhere ...

                    Try Google?

                    73,
                    Ged.



                    --
                    Reporting bugs: http://perl.apache.org/bugs/
                    Mail list info: http://perl.apache.org/maillist/modperl.html
                  • Stas Bekman
                    ... You mean, you want to generate one? in mod_perl2/apr it d be: use APR::UUID: my $uuid = APR::UUID- new- format; or from the command line (assuming that you
                    Message 9 of 22 , Sep 3, 2003
                    • 0 Attachment
                      kfr wrote:
                      > Anyone know how to capture the UUID from a request? I've been looking all
                      > over the place and cant seem to find any reference to it anywhere ...

                      You mean, you want to generate one? in mod_perl2/apr it'd be:

                      use APR::UUID:
                      my $uuid = APR::UUID->new->format;

                      or from the command line (assuming that you are using the latest cvs):

                      perl -MApache2 -MAPR -MAPR::UUID -le 'print APR::UUID->new->format'

                      __________________________________________________________________
                      Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                      http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                      mailto:stas@... http://use.perl.org http://apacheweek.com
                      http://modperlbook.org http://apache.org http://ticketmaster.com



                      --
                      Reporting bugs: http://perl.apache.org/bugs/
                      Mail list info: http://perl.apache.org/maillist/modperl.html
                    • John Saylor
                      hi ... is there an equivalent in mod_perl1? -- js -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
                      Message 10 of 22 , Sep 3, 2003
                      • 0 Attachment
                        hi

                        ( 03.09.03 10:42 -0700 ) Stas Bekman:
                        > You mean, you want to generate one? in mod_perl2/apr it'd be:

                        is there an equivalent in mod_perl1?

                        --
                        \js



                        --
                        Reporting bugs: http://perl.apache.org/bugs/
                        Mail list info: http://perl.apache.org/maillist/modperl.html
                      • Perrin Harkins
                        ... Use Data::UUID from CPAN or mod_unique_id. Note that this (and the mod_perl 2 approach Stas posted) has nothing to do with identifying the actual client,
                        Message 11 of 22 , Sep 3, 2003
                        • 0 Attachment
                          On Wed, 2003-09-03 at 15:03, John Saylor wrote:
                          > is there an equivalent in mod_perl1?

                          Use Data::UUID from CPAN or mod_unique_id. Note that this (and the
                          mod_perl 2 approach Stas posted) has nothing to do with identifying the
                          actual client, which is what the original question on this thread was
                          about.

                          - Perrin


                          --
                          Reporting bugs: http://perl.apache.org/bugs/
                          Mail list info: http://perl.apache.org/maillist/modperl.html
                        • Stas Bekman
                          ... I m sure there are a few modules on CPAN that you can use. Again I m talking about generating UUD, not extracting the SSL one. Perrin has replied that you
                          Message 12 of 22 , Sep 3, 2003
                          • 0 Attachment
                            John Saylor wrote:
                            > hi
                            >
                            > ( 03.09.03 10:42 -0700 ) Stas Bekman:
                            >
                            >>You mean, you want to generate one? in mod_perl2/apr it'd be:
                            >
                            >
                            > is there an equivalent in mod_perl1?

                            I'm sure there are a few modules on CPAN that you can use. Again I'm talking
                            about generating UUD, not extracting the SSL one. Perrin has replied that you
                            need $ENV{SSL_SESSION_ID} for the SSL one.




                            __________________________________________________________________
                            Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                            http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                            mailto:stas@... http://use.perl.org http://apacheweek.com
                            http://modperlbook.org http://apache.org http://ticketmaster.com



                            --
                            Reporting bugs: http://perl.apache.org/bugs/
                            Mail list info: http://perl.apache.org/maillist/modperl.html
                          • kfr
                            I m able to see it now ... had to re-compile my server with mod_ssl (not apache-ssl) and I can see the SSL_SESSION_ID. So I take it there s no way to decrypt
                            Message 13 of 22 , Sep 3, 2003
                            • 0 Attachment
                              I'm able to see it now ... had to re-compile my server with mod_ssl (not
                              apache-ssl) and I can see the SSL_SESSION_ID. So I take it there's no way
                              to decrypt that and grab anything useful out of it other than it's one time
                              uniqueness? The doc's state its a combo of a few different parameters
                              (timestamp, hardware address, etc), which the hardware address is really
                              what I'm after.

                              K



                              >-----Original Message-----
                              >From: Perrin Harkins [mailto:perrin@...]
                              >Sent: Wednesday, September 03, 2003 12:28 PM
                              >To: John Saylor
                              >Cc: modperl@...
                              >Subject: Re: collecting unique client (computer) specific info?
                              >
                              >
                              >On Wed, 2003-09-03 at 15:03, John Saylor wrote:
                              >> is there an equivalent in mod_perl1?
                              >
                              >Use Data::UUID from CPAN or mod_unique_id. Note that this (and the
                              >mod_perl 2 approach Stas posted) has nothing to do with identifying the
                              >actual client, which is what the original question on this thread was
                              >about.
                              >
                              >- Perrin
                              >
                              >
                              >--
                              >Reporting bugs: http://perl.apache.org/bugs/
                              >Mail list info: http://perl.apache.org/maillist/modperl.html
                              >
                              >



                              --
                              Reporting bugs: http://perl.apache.org/bugs/
                              Mail list info: http://perl.apache.org/maillist/modperl.html
                            • Ged Haywood
                              Hi there, ... What hardware? 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
                              Message 14 of 22 , Sep 3, 2003
                              • 0 Attachment
                                Hi there,

                                On Wed, 3 Sep 2003, kfr wrote:

                                > had to re-compile my server with mod_ssl

                                :)

                                > the hardware address is really what I'm after.

                                What hardware?

                                73,
                                Ged.



                                --
                                Reporting bugs: http://perl.apache.org/bugs/
                                Mail list info: http://perl.apache.org/maillist/modperl.html
                              Your message has been successfully submitted and would be delivered to recipients shortly.