Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Image Verification Security

Posted on 2006-12-01
5
Medium Priority
?
150 Views
Last Modified: 2006-12-04
Hey, I've created a Image Verfication class and I'm basically wondering if anybody knows how the larger companies store 'login attempts' and how they associate attempts with users.

Through my own testing I have determined the following:

1) Attempts are not stored in cookies or sessions
2) Attempts are not linked to the remote address

So just how do they know how many attempts I have had without storing my remote address or session id (or any other form of cookie related information).  I have examined the $_SERVER variables to try and determine if there's any kind of data that is can be used to identify users, but I have failed to find any.  

The only other theory that I can thikn of is that they combine a number of different data (creating a "fingerprint"), such as remote address mixed with the users browser for instance, but that would be useless for a variety of corporations and educational centres that have networked computers sharing the same address and using the same browsers.

Please put me out of my misery :)

Thanks,

Karl.
0
Comment
Question by:KarlPurkhardt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 11

Expert Comment

by:ch2
ID: 18057315
On each login attempt you send your username and then your session fails and the validator updates the database.
0
 
LVL 11

Expert Comment

by:ch2
ID: 18057333
< Hey, I've created a Image Verfication class and I'm basically wondering if anybody knows how the larger companies store 'login attempts'

Usually in DB

< how they associate attempts with users.

Username you send and the one in the db.
0
 
LVL 4

Author Comment

by:KarlPurkhardt
ID: 18057781
Neither of those would work the same as www.gmail.com image verification.  For example, if I make several attempts (using different email addresses and passwords) I will still have to go through the image verification after x attempts, at this point, I can clear my cookies and I will still be prompted to validate via the image verification, even tho each attempt was made on a different account (different email/password) and I have cleared my cookies.
0
 
LVL 11

Assisted Solution

by:ch2
ch2 earned 180 total points
ID: 18057859
www.gmail.com use javascript, POST data and a certificate so just remove all and you cannot connect.
0
 
LVL 8

Accepted Solution

by:
John Kawakami earned 195 total points
ID: 18058562
They probably keep track of the IP address.  How can you be sure they don't track that?

They could, for example, have lists of IP addresses associated with any account you try to use.  If you try to get to foo@gmail.com from 1.2.3.4 and then from 2.3.4.5, maybe foo@gmail.com gets associated with both 1234 and 2345.

Then subsequent attempts from 1234 are linked to all the accounts you try, and same for 2345.  This creates a little pile of linked accounts, and that's your fingerprint.

I'm totally speculating here.  Seems like too much work, to me.
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article discusses how to create an extensible mechanism for linked drop downs.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question