Loading ...
Sorry, an error occurred while loading the content.

RE: collecting unique client (computer) specific info?

Expand Messages
  • Roger Davenport
    Apologies.. yes, this was meant for the list!! Roger
    Message 1 of 22 , Sep 2 12:55 PM
    • 0 Attachment
      Apologies..  yes, this was meant for the list!!

      Roger

      On Tue, 2003-09-02 at 14:29, Perrin Harkins wrote:
      Did you mean to send this to the list?  It only went to me.
      
      On Tue, 2003-09-02 at 15:23, Roger Davenport wrote:
      > The session ID only lasts a certain time.. anywhere from a couple of
      > minutes to a couple of days (varies widely).  SSLv2 is 16 bytes, and
      > SSLv3/TLS is anywhere from 1 to 32 bytes.  The session ID is
      > essentially a value which saves the client and server from having to
      > handshake every time.  But if you get a matching value, chances are
      > that you have the same machine if it's within a reasonable amount of
      > time.
      > 
      > Roger
      > 
      > On Tue, 2003-09-02 at 13:40, Perrin Harkins wrote: 
      > > On Tue, 2003-09-02 at 14:23, kfr wrote:
      > > > Yes, sorry.  I have a site that allows my customers to become members via
      > > > monthly credit card subscription.  The problem is we've been getting
      > > > fraudulent credit card transactions and need some mechanism to detect a user
      > > > who is a repeat offender so I can detect them trying to submit yet another
      > > > bogus CC for access.
      > > 
      > > Okay, that makes sense.  Unfortunatey, there's no foolproof way that I'm
      > > aware of.  To begin with, you can try using a cookie.  This will stop
      > > anyone who is not very technical.  Beyond that, I have heard that
      > > there's some kind of unique identifier in SSL that you may be able to
      > > use.  I know this because the f5 big/ip load balancers used it.  Check
      > > into that.
      > > 
      > > - Perrin
    • kfr
      Anyone know how to capture the UUID from a request? I ve been looking all over the place and cant seem to find any reference to it anywhere ... K ... From:
      Message 2 of 22 , Sep 3 9:22 AM
      • 0 Attachment
        Anyone know how to capture the UUID from a request? I've been looking all over the place and cant seem to find any reference to it anywhere ...

        K





        -----Original Message-----
        From: Roger Davenport [mailto:rdavenport@...]
        Sent: Tuesday, September 02, 2003 12:55 PM
        To: Perrin Harkins
        Cc: modperl@...
        Subject: RE: collecting unique client (computer) specific info?


        Apologies.. yes, this was meant for the list!!

        Roger

        On Tue, 2003-09-02 at 14:29, Perrin Harkins wrote:
        Did you mean to send this to the list? It only went to me.

        On Tue, 2003-09-02 at 15:23, Roger Davenport wrote:
        > The session ID only lasts a certain time.. anywhere from a couple of
        > minutes to a couple of days (varies widely). SSLv2 is 16 bytes, and
        > SSLv3/TLS is anywhere from 1 to 32 bytes. The session ID is
        > essentially a value which saves the client and server from having to
        > handshake every time. But if you get a matching value, chances are
        > that you have the same machine if it's within a reasonable amount of
        > time.
        >
        > Roger
        >
        > On Tue, 2003-09-02 at 13:40, Perrin Harkins wrote:
        > > On Tue, 2003-09-02 at 14:23, kfr wrote:
        > > > Yes, sorry. I have a site that allows my customers to become members via
        > > > monthly credit card subscription. The problem is we've been getting
        > > > fraudulent credit card transactions and need some mechanism to detect a user
        > > > who is a repeat offender so I can detect them trying to submit yet another
        > > > bogus CC for access.
        > >
        > > Okay, that makes sense. Unfortunatey, there's no foolproof way that I'm
        > > aware of. To begin with, you can try using a cookie. This will stop
        > > anyone who is not very technical. Beyond that, I have heard that
        > > there's some kind of unique identifier in SSL that you may be able to
        > > use. I know this because the f5 big/ip load balancers used it. Check
        > > into that.
        > >
        > > - Perrin



        --
        Reporting bugs: http://perl.apache.org/bugs/
        Mail list info: http://perl.apache.org/maillist/modperl.html
      • Perrin Harkins
        ... According to the mod_ssl manual, it is stored in an environment variable called SSL_SESSION_ID. - Perrin -- Reporting bugs: http://perl.apache.org/bugs/
        Message 3 of 22 , Sep 3 9:37 AM
        • 0 Attachment
          On Wed, 2003-09-03 at 12:22, kfr wrote:
          > Anyone know how to capture the UUID from a request?

          According to the mod_ssl manual, it is stored in an environment variable
          called SSL_SESSION_ID.

          - Perrin



          --
          Reporting bugs: http://perl.apache.org/bugs/
          Mail list info: http://perl.apache.org/maillist/modperl.html
        • Ged Haywood
          Hi there, ... What makes you think there ll be one in there? ... Try Google? 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info:
          Message 4 of 22 , Sep 3 10:21 AM
          • 0 Attachment
            Hi there,

            On Wed, 3 Sep 2003, kfr wrote:

            > Anyone know how to capture the UUID from a request?

            What makes you think there'll be one in there?

            > I've been looking all over the place and cant seem to find any
            > reference to it anywhere ...

            Try Google?

            73,
            Ged.



            --
            Reporting bugs: http://perl.apache.org/bugs/
            Mail list info: http://perl.apache.org/maillist/modperl.html
          • Stas Bekman
            ... You mean, you want to generate one? in mod_perl2/apr it d be: use APR::UUID: my $uuid = APR::UUID- new- format; or from the command line (assuming that you
            Message 5 of 22 , Sep 3 10:42 AM
            • 0 Attachment
              kfr wrote:
              > Anyone know how to capture the UUID from a request? I've been looking all
              > over the place and cant seem to find any reference to it anywhere ...

              You mean, you want to generate one? in mod_perl2/apr it'd be:

              use APR::UUID:
              my $uuid = APR::UUID->new->format;

              or from the command line (assuming that you are using the latest cvs):

              perl -MApache2 -MAPR -MAPR::UUID -le 'print APR::UUID->new->format'

              __________________________________________________________________
              Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
              http://stason.org/ mod_perl Guide ---> http://perl.apache.org
              mailto:stas@... http://use.perl.org http://apacheweek.com
              http://modperlbook.org http://apache.org http://ticketmaster.com



              --
              Reporting bugs: http://perl.apache.org/bugs/
              Mail list info: http://perl.apache.org/maillist/modperl.html
            • John Saylor
              hi ... is there an equivalent in mod_perl1? -- js -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
              Message 6 of 22 , Sep 3 12:03 PM
              • 0 Attachment
                hi

                ( 03.09.03 10:42 -0700 ) Stas Bekman:
                > You mean, you want to generate one? in mod_perl2/apr it'd be:

                is there an equivalent in mod_perl1?

                --
                \js



                --
                Reporting bugs: http://perl.apache.org/bugs/
                Mail list info: http://perl.apache.org/maillist/modperl.html
              • Perrin Harkins
                ... Use Data::UUID from CPAN or mod_unique_id. Note that this (and the mod_perl 2 approach Stas posted) has nothing to do with identifying the actual client,
                Message 7 of 22 , Sep 3 12:28 PM
                • 0 Attachment
                  On Wed, 2003-09-03 at 15:03, John Saylor wrote:
                  > is there an equivalent in mod_perl1?

                  Use Data::UUID from CPAN or mod_unique_id. Note that this (and the
                  mod_perl 2 approach Stas posted) has nothing to do with identifying the
                  actual client, which is what the original question on this thread was
                  about.

                  - Perrin


                  --
                  Reporting bugs: http://perl.apache.org/bugs/
                  Mail list info: http://perl.apache.org/maillist/modperl.html
                • Stas Bekman
                  ... I m sure there are a few modules on CPAN that you can use. Again I m talking about generating UUD, not extracting the SSL one. Perrin has replied that you
                  Message 8 of 22 , Sep 3 12:44 PM
                  • 0 Attachment
                    John Saylor wrote:
                    > hi
                    >
                    > ( 03.09.03 10:42 -0700 ) Stas Bekman:
                    >
                    >>You mean, you want to generate one? in mod_perl2/apr it'd be:
                    >
                    >
                    > is there an equivalent in mod_perl1?

                    I'm sure there are a few modules on CPAN that you can use. Again I'm talking
                    about generating UUD, not extracting the SSL one. Perrin has replied that you
                    need $ENV{SSL_SESSION_ID} for the SSL one.




                    __________________________________________________________________
                    Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
                    http://stason.org/ mod_perl Guide ---> http://perl.apache.org
                    mailto:stas@... http://use.perl.org http://apacheweek.com
                    http://modperlbook.org http://apache.org http://ticketmaster.com



                    --
                    Reporting bugs: http://perl.apache.org/bugs/
                    Mail list info: http://perl.apache.org/maillist/modperl.html
                  • kfr
                    I m able to see it now ... had to re-compile my server with mod_ssl (not apache-ssl) and I can see the SSL_SESSION_ID. So I take it there s no way to decrypt
                    Message 9 of 22 , Sep 3 2:05 PM
                    • 0 Attachment
                      I'm able to see it now ... had to re-compile my server with mod_ssl (not
                      apache-ssl) and I can see the SSL_SESSION_ID. So I take it there's no way
                      to decrypt that and grab anything useful out of it other than it's one time
                      uniqueness? The doc's state its a combo of a few different parameters
                      (timestamp, hardware address, etc), which the hardware address is really
                      what I'm after.

                      K



                      >-----Original Message-----
                      >From: Perrin Harkins [mailto:perrin@...]
                      >Sent: Wednesday, September 03, 2003 12:28 PM
                      >To: John Saylor
                      >Cc: modperl@...
                      >Subject: Re: collecting unique client (computer) specific info?
                      >
                      >
                      >On Wed, 2003-09-03 at 15:03, John Saylor wrote:
                      >> is there an equivalent in mod_perl1?
                      >
                      >Use Data::UUID from CPAN or mod_unique_id. Note that this (and the
                      >mod_perl 2 approach Stas posted) has nothing to do with identifying the
                      >actual client, which is what the original question on this thread was
                      >about.
                      >
                      >- Perrin
                      >
                      >
                      >--
                      >Reporting bugs: http://perl.apache.org/bugs/
                      >Mail list info: http://perl.apache.org/maillist/modperl.html
                      >
                      >



                      --
                      Reporting bugs: http://perl.apache.org/bugs/
                      Mail list info: http://perl.apache.org/maillist/modperl.html
                    • Ged Haywood
                      Hi there, ... What hardware? 73, Ged. -- Reporting bugs: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html
                      Message 10 of 22 , Sep 3 3:01 PM
                      • 0 Attachment
                        Hi there,

                        On Wed, 3 Sep 2003, kfr wrote:

                        > had to re-compile my server with mod_ssl

                        :)

                        > the hardware address is really what I'm after.

                        What hardware?

                        73,
                        Ged.



                        --
                        Reporting bugs: http://perl.apache.org/bugs/
                        Mail list info: http://perl.apache.org/maillist/modperl.html
                      Your message has been successfully submitted and would be delivered to recipients shortly.