laserlight wrote:

So far nothing that you have said requires the computer name. A password will work just as well.

Ok... The idea was was to make a Sha512 hash from the User ID, User Created date, Password & Computer Name. When a user have the "Remember" activated and return to the site, the server will get information from user's cookies regarding only the UserID and the 64 digit Hash. The Computer Name would also be fetched. The rest of the information is contained inside the server's SQL DB and will be used as elements to recreate the very same hash and compare it to the one that's stored on the user's computer. If they are same, the user is then the genuine user.

Well, that was the idea anyway. I don't know how this is solved IRL today on websites around the world. Maybe there are lots of solutions to it. Mine was just another one that was simply not possible due to the non existent way of fetching the user's Computer Name.

    Ok... The idea was was to make a Sha512 hash from the User ID, User Created date, Password & Computer Name. When a user have the "Remember" activated and return to the site, the server will get information from user's cookies regarding only the UserID and the 64 digit Hash. The Computer Name would also be fetched. The rest of the information is contained inside the server's SQL DB and will be used as elements to recreate the very same hash and compare it to the one that's stored on the user's computer. If they are same, the user is then the genuine user.

    I think I understand the problem: conceptually, you are working with the idea that "Cookies can be hijacked". This is true in a way, but it implies that the attacker has control over the user's computer (e.g., the attacker took over the computer from a user at an Internet cafe who forgot to log out) to read the cookie file(s).

    I am working on the assumption that you are concerned with an attacker sniffing the network. This attacker knows the data that is sent and received by the computer. So, if you send the user id, hash and computer name in the clear, the attacker can get all these and use them. It does not matter that the user id and hash were stored in cookies and the computer name was retrieved via some other way. The system would still be inherently insecure against interception of the data.

    Well, that was the idea anyway. I don't know how this is solved IRL today on websites around the world. Maybe there are lots of solutions to it.

    The solution is to use SSL/TLS, or an equivalent. In truth, many authentication systems deployed on websites assume that an attacker will not intercept the network data. Only those websites that really need to be secure (e.g., those that involve financial transactions) would use SSL/TLS.

      Thanx! 🙂

      I'll try to figure out something that put a balance between complexity and security risks then...

        This will work
        $_ENV[COMPUTERNAME]
        It will show the users computer name or what ever you want to do with it. hope this helps

          This will work
          $ENV[COMPUTERNAME]
          It will show the users computer name or what ever you want to do with it. hope this helps


          Oh, really?

          <?php echo $_ENV['COMPUTERNAME']; ?>

          gives me:

          Notice: Undefined index: COMPUTERNAME in D:\projects\web\test.php on line 1

          If it works, it is not reliable.

            oh, well it works for me it shows
            RYAN
            laser do this

            <?php print_r($_ENV); ?>

            Can you see anything to do with computername?
            Erm i have been using this wrongly, i have just found out this is the environment under which the PHP parser is running
            so my bad

              Can you see anything to do with computername?

              $ENV is an empty array on my system. The clue to this inherent unreliability can be found in the PHP Manual's Appendix on Predefined Variables:

              Environment variables: $_ENV
              These variables are imported into PHP's global namespace from the environment under which the PHP parser is running. Many are provided by the shell under which PHP is running and different systems are likely running different kinds of shells, a definitive list is impossible.



              In fact, my interpretation of "from the environment under which the PHP parser is running" is that even if it works, it only gives the name of the server computer, not the client computer.

                4 months later
                laserlight wrote:

                Oh, really?

                <?php echo $_ENV['COMPUTERNAME']; ?>

                gives me:

                Notice: Undefined index: COMPUTERNAME in D:\projects\web\test.php on line 1

                If it works, it is not reliable.

                IF _ENV['COMPUTERNAME'] IF FOR THE LOCALUSER
                HOW CAN I KNOW THE VIEWER COMPUTER NAME ?

                  4 months later

                  Did anybody find any solution to view the viewers hostname? I'm interested in counting how many computers visiting a certain page are really unique.

                    10 years later

                    print_r($_ENV);
                    echo gethostname(); // Or, an option before PHP 5.3
                    echo php_uname('n');
                    These are all working right but
                    We want to show the client computer's name on the server but it calls our server's operating system.
                    like: Array ( ) CentOS-72-64-minimal

                    Saquib_Azam

                    Read the thread you commented on. It may be ten years old but it's still correct.

                        Write a Reply...