I want to identify every anonymous person accessing my web portal uniquely (crazy, I know!). Currently I am using session id in combination with IP, however, since a session id is cookie based, it can always be cleared and identity can be forged. I was browsing some other thread and someone had said that an attribute named "PCRSA" can be obtained from browsers and can be used to uniquely identify a user. Ever since, I've trying to locate any further info regarding PCRSA but to no avail. Does anyone have any info regarding PCRSA or alternatively, a better way to uniquely identify anonymous connections?
Related
Given the increasing concerns in data privacy, is it possible to build a web app that provides a driven user experience (aka different outcomes on different users based on their specific profiles) without sending any personal information that can be tracked, hijacked or forced by any entity on the web app's servers ?
The question is somewhat vague, but due to the fact that HTTP is stateless, you'll need users to send some kind of information, at the very least user registration and login data to identify them and store their identity in some kind of storage (ex. cookie).
If you dont want the users to post any data, you wont be able to personalize the experience, just provide the same experience to everyone every time they enter your website.
I think you can do this, but you will need to identify users at the start, and then unidentify them later - for example, get them to register with an email address, confirm that address, then create an identifier derived from that address (e.g. a hash or random number), switch to using it as a user name and delete the email address. Then you will be at a point where they can log into an account, but you hold no personal identifiers on them.
Im running a Azure Webapp with application insight.
I know Microsoft cant show the real IP (Client_IP) so I add the real IP address to all requests (Ip).
I have a visitor client_id="h9zbt" that in the last 24h is using 48 different client_IP adresses.
The same user also has several real IPv6 adresses.
I like to block this IP from my website, but I think this looks so strange.
Is it really the same user?
How is Application insight tracking the User_Id?
Image link
Usually application insights is automatically opening a session automatically for each user (look for the ai_session key). Therefore the default user scope would be a session scope.
You can override this behaviour by sending a user context if you have some kind of sign-in. (https://learn.microsoft.com/en-us/azure/application-insights/app-insights-usage-send-user-context)
I find it likely that it's the same user on the same device, just using several IP-addresses, maybe as an unsuccessful attempt to stay anonymous.
User IDs should persist across user sessions to track how users behave
over time. There are various approaches for persisting the ID.
A definition of a user that you already have in your service.
If the service has access to a browser, it can pass the browser a cookie with an ID in it. The ID will persist for as long as the cookie
remains in the user's browser.
If necessary, you can use a new ID each session, but the results about users will be limited. For example, you won't be able to see how
a user's behavior changes over time.
The ID should be a Guid or another string complex enough to identify
each user uniquely. For example, it could be a long random number.
If the ID contains personally identifying information about the user,
it is not an appropriate value to send to Application Insights as a
user ID. You can send such an ID as an authenticated user ID, but it
does not fulfill the user ID requirement for usage scenarios.
mentioned in Azure doc.
https://learn.microsoft.com/en-us/azure/application-insights/app-insights-usage-send-user-context
We have a multi-clients (internally identified as "corporates"), web-based software, in which we have implemented SSO via SAML 2.0. Each client is a Corporate, and each Corporate has its own users.
At the moment, the users are identified by the NameId property of the SAML response (matching the Username field in our application), and the value of the Issuer field allows us to know which Corporate the user is from.
Now, one of our big client has white-labelled the solution, and is using it in-house, with a single Identity Provider for all of its own clients. This mean there is a unique Issuer value for all SAML messages, and we can no longer rely on that to identify the user's Corporate. Fortunately, their SAML message gives all the information we need, formatted this way:
The NameId value is formatted as "corporate:username"
There is a specific "companyId" Attribute, with value "corporate"
There is a specific "operatorId" Attribute, with value "username"
I guess that identifying the Corporate is then straightforward : we need to check the value of the custom "companyId Attribute and compare that with the Corporate name. Easy.
But what about the username? Is it safe, or does it follow best practices, to check the "operatorId" Attribute instead of the NameID property ? Or should we in all cases always rely on NameId, and therefore put a custom parsing logic in place to extract the corporate and username from the NameId ?
How would you do that? I'm not able to find a similar case.
Thanks!
It doesn't seem to follow your company best practices :), but as soon you have validated the request is all up you and what you agree with your customer. It will be thought harder to maintain because it is an exception.
Are Security Identifier (SID) in Windows or active directory domains considered as sensitive information? Is it possible for a hacker to use that information for malicious purposes?
I would not consider the SID anymore sensitive than a GUID. The SID is used to identify objects in ACLs. However, there are well known SIDs for builtin groups and accounts that make certain objects easily discoverable.
For instance, if you were to rename the built in Administrator account in AD in an attempt to hide or obscure it, someone could still locate it simply based off its SID. So a hacker or someone with malicious intent could leverage the data. But if they are already able to get a hold of the data, you probably have bigger things to worry about. Anyone with access to AD can query to obtain SID information for other users/groups/etc.
We have a Web Role which used to run in a single instance for some time. To cope with higher loads (and to get a better SLA) we're currently migrating the role to support multiple instances.
The role uses Forms Authentication (with a custom membership provider), and our understanding was that we would have to enable some sort of shared session state between the instances, so if a user signs in on instance 1 and gets his .ASPXAUTH cookie, then instance 2 knows about this cookie.
We did that, and currently the role is running on two instances, and everything works well. We tested that a user stays signed in, even if his request is processed on the other instance than the one on which he signed in. If the user doesn't sign in, access is denied.
We also checked whether the TableStorageSessionStateProvider created a table in the Azure Table Storage account, and indeed, there is a table Sessions with PartitionKey, RowKey and Timestamp columns.
But, to our astonishment, the Sessions table always stays empty. No matter how many users are signed in, there is no data in the table.
How can these instances communicate, if not through the Sessions table?
You're mixing up two different things here: Authentication and Session State.
It's true that, in order to use Session State with multiple instances, you need a shared store (InProc won't work). In that case TableStorageSessionStateProvider would work since all instances have access to the session data stored here. Session state is used when you store something in the current session of the user, like a shopping cart. And you would call it like this: Session["UserShoppingCart"] = shoppingCart;.
But what you're describing in your question has nothing to do with the Session State, it's all about Forms Authentication. When you authenticate on instance 1, you'll get a ticket in return (stored in the .ASPXAUTH cookie). This ticket is encrypted and signed and contains basic information like your username, expiration, custom user data, ...
Now that you have multiple instances it could be that the next request lands you on instance 2. And I think your question was, how do the instances communicate? Well, they don't. Whenever the request starts, before it reaches your page or your controller, the FormsAuthenticationHttpModule kicks in and looks for the .ASPXAUTH cookie. It checks the signature, decrypts it and then fills the HttpContext.Current.User with the information from the cookie (the ticket).
The only link between the instances is the machineKey (used for encypting/decrypting/signing/validating the cookie). Whenever you deploy multiple instances in Windows Azure, the Fabric Controller makes sure all instances get the same machineKey. This way, instance 2 will be able to decrypt and validate the ticket encryped and signed by instance 1.