The only way would be to have the user manually supply the info via a form submission. (The computer name is no business of a web server, all it needs to know is the IP address. Anything more would be a security hole.)

Note: If you are working on a LAN application rather than a world-wide web application, there may be ways to get the info, such as reading the LAN's hosts file to match up a hostname with the IP address.

Thanx!

I was working on a Authentication System that looked for the user's computer name in order to form some kind of hacking protection from other's. Apparently Cookies can be hijacked, but the hacker wouldn't know the targets computer name... Well, that's my idea anyway.

If you know of any GPL High Security Authentication source to create a member login website, please give me a hint!

Best Regards

You may want to use SSL/TLS.

What about logging their IP address? Although there is one problem with that: god damn dynamic IPs!

SSL would maybe solve the security problem partly. But not protecting against evil scripts and injections on postings and PM's (like the "mouseover") etc. It would probably not be desireble to use SSL through every page that's being visited, since I'll guess it would slow down the server a lot. Could probably be used during the registration/login/edit account process, in order to not send ID and Passwords in clear text over the net. Storing and receiving hashed cookies would probably be better. That's why I would like to use the computer name baked into the hash as well.

And the IP? It all falls down that many users actually gets different IP number everytime they connect to the internet. So, the computer name would be the most static thing I could think of.

How would the local computer name be a greater security hole than the IP address since everything someone could do with a computer name, could also be done with the IP address.(?)
Enlighten this newbie plz!

Maybe I'm wrong, but... Doesn't e-mails contain headers which are telling the name of the sending computer? With that in mind, I thought this where available thru PHP as well.

Anyway... It seems that I have to rethink the whole structure I was working on. And a "Remember Login ID & Password" function would also pose a futher threat to the secrurity as well. :quiet:

If I only could find something unique about every computer, other than using the IP-number...

Storing and receiving hashed cookies would probably be better. That's why I would like to use the computer name baked into the hash as well.

What do you mean? If you send this hash in the clear, it can be intercepted, so whether or not the computer name is involved makes no difference. If you send it encrypted... then you would be imitating SSL/TLS.

And the IP? It all falls down that many users actually gets different IP number everytime they connect to the internet. So, the computer name would be the most static thing I could think of.

Suppose you are indeed able to get the computer name. The user changes computer. How would you authenticate the user? If you allow a change of computer, then an attacker can defeat your "computer name check" by pretending to be the user on a different computer. If you do not allow this, then the user is not allowed to change computer, which is absurd unless you are the user's employer and require the user to login from the company assigned computer.

laserlight wrote:

What do you mean? If you send this hash in the clear, it can be intercepted, so whether or not the computer name is involved makes no difference. If you send it encrypted... then you would be imitating SSL/TLS.

That's why I needed to have the computer name, since it's hard to reconstruct a hash even if you got partly information about what's inside it. It also comes down to what salts that are used. That's my idea anyway...

laserlight wrote:

Suppose you are indeed able to get the computer name. The user changes computer. How would you authenticate the user? If you allow a change of computer, then an attacker can defeat your "computer name check" by pretending to be the user on a different computer. If you do not allow this, then the user is not allowed to change computer, which is absurd unless you are the user's employer and require the user to login from the company assigned computer.

If the user changes computer, he have to login again. That would create new unique hashes due to the change of computername. Would work equally for the "Remember" function.

Hmm...
Just trying to be innovative here. If there are better ways to solve this, I would love to hear it! Maybe I'm trying to reinvent the wheel here...

That's why I needed to have the computer name, since it's hard to reconstruct a hash even if you got partly information about what's inside it. It also comes down to what salts that are used. That's my idea anyway...

If the user changes computer, he have to login again. That would create new unique hashes due to the change of computername. Would work equally for the "Remember" function.

So far nothing that you have said requires the computer name. A password will work just as well.

Just trying to be innovative here.

I suggest that you state your protocol.

laserlight wrote:

So far nothing that you have said requires the computer name. A password will work just as well.

Ok... The idea was was to make a Sha512 hash from the User ID, User Created date, Password & Computer Name. When a user have the "Remember" activated and return to the site, the server will get information from user's cookies regarding only the UserID and the 64 digit Hash. The Computer Name would also be fetched. The rest of the information is contained inside the server's SQL DB and will be used as elements to recreate the very same hash and compare it to the one that's stored on the user's computer. If they are same, the user is then the genuine user.

Well, that was the idea anyway. I don't know how this is solved IRL today on websites around the world. Maybe there are lots of solutions to it. Mine was just another one that was simply not possible due to the non existent way of fetching the user's Computer Name.

Ok... The idea was was to make a Sha512 hash from the User ID, User Created date, Password & Computer Name. When a user have the "Remember" activated and return to the site, the server will get information from user's cookies regarding only the UserID and the 64 digit Hash. The Computer Name would also be fetched. The rest of the information is contained inside the server's SQL DB and will be used as elements to recreate the very same hash and compare it to the one that's stored on the user's computer. If they are same, the user is then the genuine user.

I think I understand the problem: conceptually, you are working with the idea that "Cookies can be hijacked". This is true in a way, but it implies that the attacker has control over the user's computer (e.g., the attacker took over the computer from a user at an Internet cafe who forgot to log out) to read the cookie file(s).

I am working on the assumption that you are concerned with an attacker sniffing the network. This attacker knows the data that is sent and received by the computer. So, if you send the user id, hash and computer name in the clear, the attacker can get all these and use them. It does not matter that the user id and hash were stored in cookies and the computer name was retrieved via some other way. The system would still be inherently insecure against interception of the data.

Well, that was the idea anyway. I don't know how this is solved IRL today on websites around the world. Maybe there are lots of solutions to it.

The solution is to use SSL/TLS, or an equivalent. In truth, many authentication systems deployed on websites assume that an attacker will not intercept the network data. Only those websites that really need to be secure (e.g., those that involve financial transactions) would use SSL/TLS.

Thanx!

I'll try to figure out something that put a balance between complexity and security risks then...

This will work
$_ENV[COMPUTERNAME]
It will show the users computer name or what ever you want to do with it. hope this helps

This will work
$ENV[COMPUTERNAME]
It will show the users computer name or what ever you want to do with it. hope this helps

Oh, really?

<?php echo $_ENV['COMPUTERNAME']; ?>

gives me:

Notice: Undefined index: COMPUTERNAME in D:\projects\web\test.php on line 1

If it works, it is not reliable.

oh, well it works for me it shows
RYAN
laser do this

<?php print_r($_ENV); ?>

Can you see anything to do with computername?
Erm i have been using this wrongly, i have just found out this is the environment under which the PHP parser is running
so my bad

Can you see anything to do with computername?

$ENV is an empty array on my system. The clue to this inherent unreliability can be found in the PHP Manual's Appendix on Predefined Variables:

Environment variables: $_ENV
These variables are imported into PHP's global namespace from the environment under which the PHP parser is running. Many are provided by the shell under which PHP is running and different systems are likely running different kinds of shells, a definitive list is impossible.

In fact, my interpretation of "from the environment under which the PHP parser is running" is that even if it works, it only gives the name of the server computer, not the client computer.

laserlight wrote:

Oh, really?

<?php echo $_ENV['COMPUTERNAME']; ?>

gives me:

Notice: Undefined index: COMPUTERNAME in D:\projects\web\test.php on line 1

If it works, it is not reliable.

IF _ENV['COMPUTERNAME'] IF FOR THE LOCALUSER
HOW CAN I KNOW THE VIEWER COMPUTER NAME ?

Did anybody find any solution to view the viewers hostname? I'm interested in counting how many computers visiting a certain page are really unique.

Saquib_Azam

Read the thread you commented on. It may be ten years old but it's still correct.