I suspect we're all familiar with how facebook and google and the like detect if you're using a different device than usual, I was wondering what the most reliable way to do this is?
I'm talking about the old 'It looks like you're signing in from a different device', and then when you confirm etc, it usually sends you an email and asks whether you want to trust this device or not.
Obviously one could just set a cookie, one that maybe get's checked and logged each visit, but what about when the user signs out? Do we keep the cookie?
Is there any other reliable method to 'trust' a 'device' other than setting cookies? Or is this the best/most reliable way to do it?
The most reliable way to detect a device change is to create a fingerprint of the browser/device the browser is running on. This is a complex topic to get 100% right, and there are commercial offerings that are pretty darn good but not flawless. I worked at one of those companies several years ago.
There is now at least one open source fingerprinting project Client JS. I have not used it, but it seems to cover the bases.
Just setting a cookie is not very reliable because on average users clear cookies about every 30-45 days unless you use a network that attempts to re-set the cookie (paid services). Even those are not flawless.
Just using the IP address is useless. Some devices legitimately have many IPs in a short period of time (laptop at home, work and Starbucks or most any mobile device), while sometimes a single IP is shared by a large number of users (all the folks at Starbucks or behind a corporate proxy server).
UPDATE
Thoughts on your similar hash code.
It is a complex topic to get right. I had a small team for a few years. We got pretty darn good, but you can never be 100% accurate even when people are not intentionally trying to trick you.
If you can accept thinking some devices are new when in fact they are the same and vice-versa, this type of similarity hash may work for you. Note that you can never use this type of fingerprint to uniquely identify a device for a purpose that requires positive identification such as access to secure data. It's great for making probabilistic decisions such as serving an appropriate ad.