How to track users individually without using IP address, cookie, JavaScript, UA, etc.


ByVernon Swanepoel

Cookies and JavaScript are used to keep track of information such as how long the user of the website is viewing the page and how often the visit frequency is, but it is tracked that way Some people say that they do not accept cookies because they are hurt, or turn off JavaScript. However, there is still a way to track users individually.

Lucb1e.com :: Cookieless Cookies
http://lucb1e.com/rp/cookielesscookies/


This is what Lucb1e revealed that he lives in the Netherlands and loves code security network. It is not a new method as a method, but despite the fact that it is used in many sites, few people are aware of this. Cookie · JavaScript · IP address · User agent · It is very simple to make user tracking possible without using browser plugin such as FLASH and JAVABrowser cachewas. If you do not accept cookies, turn off JavaScript or any plug-in and use the VPN service, you can track it.

In the above article of Lucb1e.com, tagging is done to the person actually reading, and the number of visits of the page and the last visit date are displayed. However, although I do not want to associate the session ID with any personal information, I'd like to be relieved, but I know that the character string in the text box remains even once I close the browser and reopen it Even a little bit weird.


What we are using is ETag (entity tag) of HTTP header, it is eigenvalue of content. When reading the page with the browser, for example, compare the ETag of the cached image with the checksum of the ETag of the image in the server. If it is changed, the image is new, so download again, and if there is no update Because we use cache, we can reduce transfer volume.

One example of this, 250 KB of image is downloaded at the time of the first access, but since it has the ETag of this image the next time it accesses, the server returns a 0.1 KB response "No update" I will come. The traffic is reduced and it is saved as seen from the server and the user.


Although it is described on the following page as a mechanism, lucb1e pointed out that by using this ETag information successfully, the same thing as cookie is made.

One point of web system development learned by case (12): Performance improvement with browser cache - Attention to the pitfall of load balancing device - - @ IT
http://www.atmarkit.co.jp/ait/articles/0305/10/news002.html

This time, lucb1e made code for demonstration on its own. Like the original, it was built to work even without JavaScript, but it was said that it was in a state that some bugs were left in the last visit date and time display etc. Source code isCheck with GitHubYou can do, but this bug is only in lucb1e's code, so be careful that it does not exist in what is widely used on other sites.

Mr. lucb1e wrote about this article and made the demo code because I want everyone to have a bit more security consciousness when browsing. It is practically impossible to detect this even if tracking by cache is practically impossible, and there is also an advantage that the page can be displayed quickly by using the cache, so completely turn off the cache Although it may be difficult, recent browsers are equipped with "private browsing mode (secret mode)", so lucb1e recommends that you should use this when using online banking etc. I will.

Internet Explorer's "InPrivate" mode can be used with Ctrl + Shift + P with browser open.


Firefox's "Private Browsing" mode, like IE, can be used with Ctrl + Shift + P.


Chrome's "secret mode". Available with Ctrl + Shift + N

in Note,   Web Service, Posted by logc_nt