That's why I needed to have the computer name, since it's hard to reconstruct a hash even if you got partly information about what's inside it. It also comes down to what salts that are used. That's my idea anyway...

If the user changes computer, he have to login again. That would create new unique hashes due to the change of computername. Would work equally for the "Remember" function.

So far nothing that you have said requires the computer name. A password will work just as well.

Just trying to be innovative here.

I suggest that you state your protocol.

laserlight wrote:

So far nothing that you have said requires the computer name. A password will work just as well.

Ok... The idea was was to make a Sha512 hash from the User ID, User Created date, Password & Computer Name. When a user have the "Remember" activated and return to the site, the server will get information from user's cookies regarding only the UserID and the 64 digit Hash. The Computer Name would also be fetched. The rest of the information is contained inside the server's SQL DB and will be used as elements to recreate the very same hash and compare it to the one that's stored on the user's computer. If they are same, the user is then the genuine user.

Well, that was the idea anyway. I don't know how this is solved IRL today on websites around the world. Maybe there are lots of solutions to it. Mine was just another one that was simply not possible due to the non existent way of fetching the user's Computer Name.

Ok... The idea was was to make a Sha512 hash from the User ID, User Created date, Password & Computer Name. When a user have the "Remember" activated and return to the site, the server will get information from user's cookies regarding only the UserID and the 64 digit Hash. The Computer Name would also be fetched. The rest of the information is contained inside the server's SQL DB and will be used as elements to recreate the very same hash and compare it to the one that's stored on the user's computer. If they are same, the user is then the genuine user.

I think I understand the problem: conceptually, you are working with the idea that "Cookies can be hijacked". This is true in a way, but it implies that the attacker has control over the user's computer (e.g., the attacker took over the computer from a user at an Internet cafe who forgot to log out) to read the cookie file(s).

I am working on the assumption that you are concerned with an attacker sniffing the network. This attacker knows the data that is sent and received by the computer. So, if you send the user id, hash and computer name in the clear, the attacker can get all these and use them. It does not matter that the user id and hash were stored in cookies and the computer name was retrieved via some other way. The system would still be inherently insecure against interception of the data.

Well, that was the idea anyway. I don't know how this is solved IRL today on websites around the world. Maybe there are lots of solutions to it.

The solution is to use SSL/TLS, or an equivalent. In truth, many authentication systems deployed on websites assume that an attacker will not intercept the network data. Only those websites that really need to be secure (e.g., those that involve financial transactions) would use SSL/TLS.

Thanx!

I'll try to figure out something that put a balance between complexity and security risks then...

This will work
$_ENV[COMPUTERNAME]
It will show the users computer name or what ever you want to do with it. hope this helps

This will work
$ENV[COMPUTERNAME]
It will show the users computer name or what ever you want to do with it. hope this helps

Oh, really?

<?php echo $_ENV['COMPUTERNAME']; ?>

gives me:

Notice: Undefined index: COMPUTERNAME in D:\projects\web\test.php on line 1

If it works, it is not reliable.

oh, well it works for me it shows
RYAN
laser do this

<?php print_r($_ENV); ?>

Can you see anything to do with computername?
Erm i have been using this wrongly, i have just found out this is the environment under which the PHP parser is running
so my bad

Can you see anything to do with computername?

$ENV is an empty array on my system. The clue to this inherent unreliability can be found in the PHP Manual's Appendix on Predefined Variables:

Environment variables: $_ENV
These variables are imported into PHP's global namespace from the environment under which the PHP parser is running. Many are provided by the shell under which PHP is running and different systems are likely running different kinds of shells, a definitive list is impossible.

In fact, my interpretation of "from the environment under which the PHP parser is running" is that even if it works, it only gives the name of the server computer, not the client computer.

laserlight wrote:

Oh, really?

<?php echo $_ENV['COMPUTERNAME']; ?>

gives me:

Notice: Undefined index: COMPUTERNAME in D:\projects\web\test.php on line 1

If it works, it is not reliable.

IF _ENV['COMPUTERNAME'] IF FOR THE LOCALUSER
HOW CAN I KNOW THE VIEWER COMPUTER NAME ?

Did anybody find any solution to view the viewers hostname? I'm interested in counting how many computers visiting a certain page are really unique.

Saquib_Azam

Read the thread you commented on. It may be ten years old but it's still correct.