Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 159
  • Last Modified:

Image Verification Security

Hey, I've created a Image Verfication class and I'm basically wondering if anybody knows how the larger companies store 'login attempts' and how they associate attempts with users.

Through my own testing I have determined the following:

1) Attempts are not stored in cookies or sessions
2) Attempts are not linked to the remote address

So just how do they know how many attempts I have had without storing my remote address or session id (or any other form of cookie related information).  I have examined the $_SERVER variables to try and determine if there's any kind of data that is can be used to identify users, but I have failed to find any.  

The only other theory that I can thikn of is that they combine a number of different data (creating a "fingerprint"), such as remote address mixed with the users browser for instance, but that would be useless for a variety of corporations and educational centres that have networked computers sharing the same address and using the same browsers.

Please put me out of my misery :)

Thanks,

Karl.
0
KarlPurkhardt
Asked:
KarlPurkhardt
  • 3
2 Solutions
 
ch2Commented:
On each login attempt you send your username and then your session fails and the validator updates the database.
0
 
ch2Commented:
< Hey, I've created a Image Verfication class and I'm basically wondering if anybody knows how the larger companies store 'login attempts'

Usually in DB

< how they associate attempts with users.

Username you send and the one in the db.
0
 
KarlPurkhardtAuthor Commented:
Neither of those would work the same as www.gmail.com image verification.  For example, if I make several attempts (using different email addresses and passwords) I will still have to go through the image verification after x attempts, at this point, I can clear my cookies and I will still be prompted to validate via the image verification, even tho each attempt was made on a different account (different email/password) and I have cleared my cookies.
0
 
ch2Commented:
www.gmail.com use javascript, POST data and a certificate so just remove all and you cannot connect.
0
 
John KawakamiCommented:
They probably keep track of the IP address.  How can you be sure they don't track that?

They could, for example, have lists of IP addresses associated with any account you try to use.  If you try to get to foo@gmail.com from 1.2.3.4 and then from 2.3.4.5, maybe foo@gmail.com gets associated with both 1234 and 2345.

Then subsequent attempts from 1234 are linked to all the accounts you try, and same for 2345.  This creates a little pile of linked accounts, and that's your fingerprint.

I'm totally speculating here.  Seems like too much work, to me.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now