Solved

Image Verification Security

Posted on 2006-12-01
5
144 Views
Last Modified: 2006-12-04
Hey, I've created a Image Verfication class and I'm basically wondering if anybody knows how the larger companies store 'login attempts' and how they associate attempts with users.

Through my own testing I have determined the following:

1) Attempts are not stored in cookies or sessions
2) Attempts are not linked to the remote address

So just how do they know how many attempts I have had without storing my remote address or session id (or any other form of cookie related information).  I have examined the $_SERVER variables to try and determine if there's any kind of data that is can be used to identify users, but I have failed to find any.  

The only other theory that I can thikn of is that they combine a number of different data (creating a "fingerprint"), such as remote address mixed with the users browser for instance, but that would be useless for a variety of corporations and educational centres that have networked computers sharing the same address and using the same browsers.

Please put me out of my misery :)

Thanks,

Karl.
0
Comment
Question by:KarlPurkhardt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 11

Expert Comment

by:ch2
ID: 18057315
On each login attempt you send your username and then your session fails and the validator updates the database.
0
 
LVL 11

Expert Comment

by:ch2
ID: 18057333
< Hey, I've created a Image Verfication class and I'm basically wondering if anybody knows how the larger companies store 'login attempts'

Usually in DB

< how they associate attempts with users.

Username you send and the one in the db.
0
 
LVL 4

Author Comment

by:KarlPurkhardt
ID: 18057781
Neither of those would work the same as www.gmail.com image verification.  For example, if I make several attempts (using different email addresses and passwords) I will still have to go through the image verification after x attempts, at this point, I can clear my cookies and I will still be prompted to validate via the image verification, even tho each attempt was made on a different account (different email/password) and I have cleared my cookies.
0
 
LVL 11

Assisted Solution

by:ch2
ch2 earned 60 total points
ID: 18057859
www.gmail.com use javascript, POST data and a certificate so just remove all and you cannot connect.
0
 
LVL 8

Accepted Solution

by:
John Kawakami earned 65 total points
ID: 18058562
They probably keep track of the IP address.  How can you be sure they don't track that?

They could, for example, have lists of IP addresses associated with any account you try to use.  If you try to get to foo@gmail.com from 1.2.3.4 and then from 2.3.4.5, maybe foo@gmail.com gets associated with both 1234 and 2345.

Then subsequent attempts from 1234 are linked to all the accounts you try, and same for 2345.  This creates a little pile of linked accounts, and that's your fingerprint.

I'm totally speculating here.  Seems like too much work, to me.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question