It appears from my research that the browser widget in Livecode does not record cookies, nor does there not seem to be other methods at play. Two pieces of evidence: in Livecode, when I return to a site that has previously alerted me to a cookie being set—having said yes the first time—it asks me again when I return to that site; item two: when I open Chrome’s cookie storage, I don’t see anything set after saying yes to a handful of sites. Could the browser widget be setting cookies elsewhere, like in a Windows folder? Or does the Livecode browser require some additional code to record cookies?
TIA,
NerdZero
When the app/stack is closed (in the proper way) the browser widget is destroyed together with all cookies that were set. Therefore it makes sense that next time when you create a new, fresh browser instance, that you get those pesky cooky warnings again. There is no way around it, except for perhaps executing a piece of JavaScript that automatically accepts any cookie warnings. This may be a real hassle to set up.
I don't think it is possible to read set cookies and restore them later, as such behaviour wouldn't be secure.
How do login sessions work while on Tor, since Tor browser disables cookies? Always has confused me how the site can differentiate users.
I know there are additional ways other than cookies, but still none the wiser how they work while on Tor.
Actually Tor Browser forces cookies to be discarded at the end of the browsing session. Cookies are small pieces of data that websites use to keep notes on who you are. They are commonly used as a login token, or as an identifier for adveritsment companies to track you across multiple sites. By discarding all cookies when you start a new browsing session, these cannot be used to track you across sites.Tor Browser disables the Flash plugin, which has its own form of persistent storage. As Flash applets auto-load on most systems, this again prevents a method of tracking you across sessions.A similar story applies for HTML5 storage capability. Websites can store data on your machine with the use of HTML5. This data can be much larger and more varied than cookies, and is technically distinct; but the risks in terms of being used as a tracking mechanism are the same.
The first part answers the question: "Actually Tor Browser forces cookies to be discarded at the end of the browsing session." So cookies are used like any normal website until you finish the session, then they are deleted.
Actually Tor Browser forces cookies to be discarded at the end of the browsing session. Cookies are small pieces of data that websites use to keep notes on who you are. They are commonly used as a login token, or as an identifier for adveritsment companies to track you across multiple sites. By discarding all cookies when you start a new browsing session, these cannot be used to track you across sites.Tor Browser disables the Flash plugin, which has its own form of persistent storage. As Flash applets auto-load on most systems, this again prevents a method of tracking you across sessions.A similar story applies for HTML5 storage capability. Websites can store data on your machine with the use of HTML5. This data can be much larger and more varied than cookies, and is technically distinct; but the risks in terms of being used as a tracking mechanism are the same.
If I open www.google.com in chrome and then I clear history and open www.google.com in another chrome page ,how can I distinguish these 2 web site? Is there something in one instance of browser which make it unique from other one?(same browser and same web page but 2 windows)
Under normal circumstances - no. If you aren't talking about google.com, and instead are talking about a webpage that you develop - then you can have a javascript variable (not a cookie) that's set and sent along with page navigation.
As long as that variable is unique (or random) - you can distinguish the instances.
Cookies are shared between single browser multiple windows/tabs unless using "Privacy mode"
More information on what you're trying to accomplish would help better answer this question.
The HTTP Protocol is stateless by nature so in general you shouldn't be able to tell. However, you have have two separate sessions open you can track traffic by inspecting the HTTP headers for session cookie values, but that's about as good as you're going to get.
I found that IE7 maintains same session for multiple tabs in a single browser window and thus doesn't support different sessions for different tabs in a single browser window. My client needs that the application should work perfectly in two different tabs in a single browser window. i think this is because of session and cookie problem. Is there a workaround for this.
Appreciate your help in this regard.
Thanks,
Manoja Swaro
Browser tabs share cookies (and not just in IE, in Firefox and the others as well), and the cookies contain the session ID.
You could switch to cookie-less sessions however this has security and usability concerns. URL based sessions are easily hijacked, and it breaks bookmarking as well, as each page has a unique URL per session.
IE7 doesn't maintain a 'session' as such, you're talking about a cookie with a session ID in it, I would guess. All browsers will have one value for a cookie, it doesn't vary by window/tab.
If you want a session ID to travel with the click trail, you're going to have to pass it from page to page, by (for instance) passing it as a URL parameter and ensuring that you add the parameter to the URL within the page. (Or do without a session.)
The real solution is to change your application so it doesn't assume each session has only one page. An application that can't be open in multiple tabs is broken.
This can be hard if this assumption is already deeply embedded in your code.
If the owner of a web site wants to track who their users are as much as possible, what things can they capture (and how). You might want to know about this in order to capture information on a site you create or, as a user, to prevent a site from capturing data on you.
Here is a starting list, but I'm sure I have missed some important ones:
Referrer (what web page had the link you followed to get here). This is a HTTP header.
IP Address of the machine you are browsing from. This is available with the HTTP headers.
User Agent (what browser you are using). This is a HTTP header.
Cookie placed on a previous visit. This is a header, available only if a cookie was placed earlier and was not deleted by the user.
Flash Cookie placed on a previous visit. Some users turn off cookies, but very few know how to turn off Flash cookies. Works like a normal cookie although it depends on Flash.
Web Bugs. Place something small (like a transparent single-pixel GIF) on the page that's served up from a 3rd party. Some third parties (such as DoubleClick) will have their own cookies and can correlate with other visits the user makes (for a fee!).
Those are the common ones I think of, but there have to be LOTS of unusual ones. For instance, this:
Time on the user's clock. Use JavaScript to transmit it.
... which I had never heard of before reading it here.
ADDED LATER (after reading this):
Please try to put just ONE item per answer, then we can use voting up to sort out the better/more-interesting ones. The list below is probably less effective.
Ah well... NEXT time I ask a question like this I'll set it up better.
And here are some of the best answers I got:
James points out that IE transmits the .NET framework version.
AviewAnew points out that one can find what sites you have visited.
Mecki points out that Screen Resolution can be determined.
Mecki also points out that any auto-fill information your browser has cached can be determined, by creating a hidden field, then reading it with JavaScript.
jjrv points out that Flash can list the fonts on the user's machine.
Kent points out that you can find out what websites a person has visited.
Silver Dragon points out you can determine the location of the mouse within the browsing window using Flash and AJAX.
Jim points out that you can tell what language the user has configured in their browser from a HTTP header.
Jim also mentions that you can detect whether people are using Greasemonkey or something similar to modify the page.
Modifications to your original:
can be escaped ( i think its an option in some browsers )
only avoidable with a proxy ( javascript can contravene this however with smart lookaround )
is unreliable, easily forged.
And assuming it was not wiped by browser closure ( session cookie ) and cookie is in the same domain/path
The real nasty ones are
Using javascript to probe your network/lan
Using javascript to access your firewall from behind the firewall and adjust its settings ( no joke )
Using the feature of the "visited link" to determine which of a list of urls have been visited. ( deep history probing ! )
Goodness knows what if the user has Windows/IE/ActiveX
There's a header that can include information about a proxy server the user is using, and that can also include the user's IP address (in which case the other IP is the one of the proxy)
Screen Resolution, Operating System, Color Depth, size of your taskbar (compare max and current resolution), if Java is enabled, Anti-Aliasing Fonts, Plugins Installed all via Javascript
A Java applet can give you a bunch of information as well, but I don't know what.
Sites you've visited
Details of your local network such as active hosts, web servers. Paper Also outlines drive-by printing, drive-by router modification
And this is all assuming the attacker doesn't pull off arbitrary code execution
Javascript can get more information than just time. E.g. screen resolution (+ color depth) being one of them.
See Getting Screen Resolution with JS
Everything JS can capture, can be transmitted using AJAX without the user performing any interaction. Other examples are (not all will work in every browser):
It can look into your browser history, e.g. what URL your browser would go if you hit back or forward.
The language of your browser (Note: usually the HTTP request will also contain a list of preferred languages for the page you request. However this list is user editable in the prefs of many browser, while JS can actually find out what the language translation your browser is using in the interface)
If your browser auto fills form fields (e.g. e-mail, username, etc.), JS can actually already read what your browser entered into the fields before you submitted the form (thus it can even read what your browser pre-filled there, even if you never submit the form at all).
A Java applet could also gather some information and transmit it, though there is not much information you wouldn't already get elsewhere. Since it's easy to get the IP of a visitor, it's possible to find out which online service he's using (looking up the IP at address services like IANA for USA or RIPE for Europe and so on) and there are services that translate IPs to country, so it's possible to find out where the user most likely is currently located.
Some additional info, that might be of interest:
Using the ip address, one can resolve the hostname, net provider / organization the IP belongs to, and rough geographic location.
Using the referer, the list of queries a specified client makes, and a reliable cookie mechanism, one can resolve the path the visitor makes (even clickthroughs to other sides, with AJAX and/or a forwarder page)
Using flash, with a combination of AJAX, the mouse location within the browsing window can be captured
The User Agent might contain information regarding operation system, installed .NET frameworks, and other curiosities
.NET framework versions are transmitted in IE, in the User Agent.
Flash can give you a list of fonts on the user's machine among other things. Javascript can send information when the mouse stops over an ad without clicking it. You can also get the window size, whether the site is open in a frame, if popups or specific plugins have been blocked, looking for Javascript features can tell if the user agent header is correct or faked...
If you're concerned about your personal security (I'm not sure if that's what you're really getting after, so my apologies if this is misguided), you can always use a Tor network. If you use Firefox, you can use Torbutton for one click enabling. It has the benefit (drawback, to some), of disabling Flash because it's otherwise impossible to protect against Flash information leaks.
You can usually determine which language the user speaks through the Accept-Language HTTP header.
You can determine whether certain applications and browser plugins are installed by looking at the Accept HTTP header.
Browser version/patchlevel and .NET framework version through the User-Agent HTTP header.
Your ISP/Employer and geographical location through IP address.
Whether or not you have visited particular URLs through CSS and/or timing load events. If a particular website has user-specific URIs, this could disclose whether you are a certain user on that site or not.
Which fonts are available through measuring ems and/or Flash.
Screen resolution, window size, timezone through JavaScript.
Where you move your mouse and keystrokes through JavaScript. For instance, you can see what people type into text boxes even if they don't hit submit.
Many UserJS/Greasemonkey scripts leak information (e.g. if you filter out certain people, the sites it is configured for may be able to find out who).
Can the browser support JS
Can the browser support flash
Operating system platform
Screen resolution
Supports CSS
Supports tables
I need to dig up the link, but if the user is using IE, with common software titles installed, determining which ones are installed is possible.
As far as I know, it's possible to get clipboard data via javascript. Not sure how possible it is by default these days, but it was all the rage not long ago. I do believe IE still allows it.
People have a habit of leaving very important data in their clipboard, so this is pretty bad.
late to the party here, the website can also scan your ports, to find what software you are running!