I need to create a temporary working space for each client that is not logged in (a folder on the server) before the client logs in.
I am currently using the ip address to create an object but there can be more than one client with the same ip if they come from the same client LAN.
These clients will end up at the same folder and their work will be commingled.
How do i differentiate for these clients?
I am working with MEAN stack
Since you have clients that can log in, create the folder for those users based on their unique identifier (like their database id) when the user information is created. When they log in, you will know what folder to use.
You could use cookies or some browser session to assign unique identifiers (uuids?) to users as they hit your site. You could use browser-fingerprint and/or uuid to assign unique values.
Related
Ok so people keep botting my multi-ogar edited server(which is like an agar.io private server), and I noticed that they all use the same user-agent. How can I use ws to detect how many connections are coming from the same user agent so I can block them?
Something like
if (useragentconnections += 3) {
ws.terminate()
}
Unless you require some sort of account login/authentication, there is no foolproof mechanism to identify the same user-agent. Here are some techniques that can be used, each with varying degrees of success:
Cookie the connection with some sort of unique ID. All webSocket connections start with an http request so you can cookie them. If this is from a browser, the cookie will be presented at each new webSocket connection from that user agent and you can identify them. If this is a programmatic webSocket coming from some custom code, then they may not retain the cookie so this would not work.
Look at the IP address and count connections from that IP address. If the user is an individual home user, then this will uniquely identify any users connecting from that home network. If this is a corporate user, then there may be many users on that corporate network that appear to be coming from the same IP address via NAT so you may falsely identify lots of users within the same corporate/business network as having the same IP address.
Require some sort of account login/authentication and have some terms of service. If you identify misuse either automatically or manually, you can then ban that account.
Require some manual "human" intervention in order to get logged onto your server such as a captcha. This is to prevent automatic programmatic logins and require that a human be on the other end.
I'd like to write a basic DNS API service using NodeJS; I have an external (black-boxed) service that both generates random URL(s) as access points: https://<host_name>/<UUID> and pushes these URL(s) to my service.
I would like a way to link these URL(s) with static names that a user can create (upon registration). The idea is that users would be able to generate a static keys (unique identifiers) and use these "keys" (unique-identifiers) to access (by redirection) a given URL; for example, suppose that the temporary link ( one of the ones that is being pushed into my DNS service) looks like this: http://cool_server/2938ba6e-e54e-4393-926f-dacc91c2a33e (the UUID keeps changing every x number of minutes), the user creates an account on my object_DNS_service and generates a static key (or string that is unique): link_to_cool_server.
I would like my DNS service to link http://cool_server/2938ba6e-e54e-4393-926f-dacc91c2a33e to http(s)://link_to_cool_server.<my_host_name>such that no matter how often that URL that is being pushed into my service changes, a user would be able to still access it by redirection, using my own host-name and their unique key/string:
My question is: would the DNS module in NodeJS be able to help me solve this problem? - how should I go about this?
Use wildcard dns on <my_host_name> such that <anything>.<my_host_name> resolves to the ip address of your node server
There will be a single endpoint/route on that node server which pulls the <key> out of the url https://<key>.<my_host_name>
The endpoint then looks up the current UUID for <key> in your database
Responds to the request with a redirect to https://cool_server/<UUID>
Im running a Azure Webapp with application insight.
I know Microsoft cant show the real IP (Client_IP) so I add the real IP address to all requests (Ip).
I have a visitor client_id="h9zbt" that in the last 24h is using 48 different client_IP adresses.
The same user also has several real IPv6 adresses.
I like to block this IP from my website, but I think this looks so strange.
Is it really the same user?
How is Application insight tracking the User_Id?
Image link
Usually application insights is automatically opening a session automatically for each user (look for the ai_session key). Therefore the default user scope would be a session scope.
You can override this behaviour by sending a user context if you have some kind of sign-in. (https://learn.microsoft.com/en-us/azure/application-insights/app-insights-usage-send-user-context)
I find it likely that it's the same user on the same device, just using several IP-addresses, maybe as an unsuccessful attempt to stay anonymous.
User IDs should persist across user sessions to track how users behave
over time. There are various approaches for persisting the ID.
A definition of a user that you already have in your service.
If the service has access to a browser, it can pass the browser a cookie with an ID in it. The ID will persist for as long as the cookie
remains in the user's browser.
If necessary, you can use a new ID each session, but the results about users will be limited. For example, you won't be able to see how
a user's behavior changes over time.
The ID should be a Guid or another string complex enough to identify
each user uniquely. For example, it could be a long random number.
If the ID contains personally identifying information about the user,
it is not an appropriate value to send to Application Insights as a
user ID. You can send such an ID as an authenticated user ID, but it
does not fulfill the user ID requirement for usage scenarios.
mentioned in Azure doc.
https://learn.microsoft.com/en-us/azure/application-insights/app-insights-usage-send-user-context
If a company makes available its user ids in an external database, but not the passwords, and if this database gets hacked, how easier it becomes for the hackers to then brute force access to the internal network?
You shouldn't share your user ids with external application without masking. For example;
http://www.example.com/user/1/edit
http://www.example.com/user/2/edit
From external application user will see above urls. That means anyone from outside of the organization will be able to enumerate whole database like number of users, user ids and username match-up etc.
You can use http://hashids.org . It's generating short unique string from integers. With that way, external application will only see masked values rather than actual ids.
http://www.example.com/user/a8sf71/edit
http://www.example.com/user/d0nd1d/edit
On website I'm working on I need to be able to modify variables within active sessions depending on some server event. I have identified that there is the list of sessions in SessionBag variable (within Service) so I am wondering how I can search this collection to get certain users session and modify it if needed?