sessioncookiesuser-tracking

No Cookie / No IP Tracking a Visitor


Problem Statement: Track an anonymous user to persist state (or lock out of a feature after a timer) on a device that has visited a website. This would need to work with cookies disabled, across browsers, including visits in incognito mode. This also would need to be device specific, 2 computers within a home network would have 2 independent timers.

I have seen this applied in a few scenarios with the most recent being the NBC Olympics with the stream timer. This has so many uses for "free no sign-up trials" while not giving away everything or limiting features in "try before you buy". Any ideas would be appreciated!


Solution

  • For this you would need to employ a cross-browser fingerprinting (or device fingerprinting) technique.

    Related research

    I recommend you read the paper (Cross-)Browser Fingerprinting via OS and Hardware Level Features by Yinzhi Cao, Song Li, and Erik Wijmans, which has an associated demo implementation of 2 of the techniques described therein.

    Another good paper I found on web fingerprinting techniques which you should read if you're interested is Web-based Fingerprinting Techniques by Vítor Bernardo and Dulce Domingos.

    The (in)security of device fingerprinting

    The basis for device fingerprinting is collecting a variety of features from the client device which are indicative of the device/OS of the device, and are stable across browsers. Collect enough and the combination of these features of one user will very likely be unique among all users.

    Most features useful for device fingerprinting can only be measured on the client (with JavaScript), and then need to be communicated back to the server, either raw or as a hash. Due to this, device fingerprinting as a security measure relies also on your ability to obfuscate the JS doing the fingerprinting and the corresponding network traffic communicating the fingerprint. If a user can figure out how the fingerprint is being collected and/or sent back to the server then they can spoof it to circumvent any protections you've put in place based on it.

    Features that can be fingerprinted

    Useful features to measure include (but are not limited to)

    In terms of low hanging fruit, there are Web APIs such as Navigator.hardwareConcurrency which expose details about the underlying hardware directly, however many browsers now disable or spoof this feature in order to avoid its use for fingerprinting.

    The more features you collect the more solid your fingerprint, as long as they don't vary across browsers on the same device.

    Conclusion

    Ultimately, there is no be-all and end-all to device fingerprinting since it's a very complex topic with many potential approaches and a constant arms race with browser vendors trying to prevent fingerprinting techniques and developers trying to find new ones.

    If you're looking for an out-of-box solution, there are currently a small handlful of open source and commercial browser and user fingerprinting services out there such as FingerprintJS (which is both). Though it does seem that many device fingerprinting solutions are not sold as standalone functionality but instead as a part of a fraud prevention system (such as SEON) or similar.

    (The following is just opinion)

    Overall it's my view that device fingerprinting is an iffy solution to locking out features, and a better solution is to make the signup process for an account as quick and easy as possible (though perhaps the free account could be used in combination with device or browser fingerprinting to temper abuse of the free trial system)