Solved

Image Verification Security

Posted on 2006-12-01
5
145 Views
Last Modified: 2006-12-04
Hey, I've created a Image Verfication class and I'm basically wondering if anybody knows how the larger companies store 'login attempts' and how they associate attempts with users.

Through my own testing I have determined the following:

1) Attempts are not stored in cookies or sessions
2) Attempts are not linked to the remote address

So just how do they know how many attempts I have had without storing my remote address or session id (or any other form of cookie related information).  I have examined the $_SERVER variables to try and determine if there's any kind of data that is can be used to identify users, but I have failed to find any.  

The only other theory that I can thikn of is that they combine a number of different data (creating a "fingerprint"), such as remote address mixed with the users browser for instance, but that would be useless for a variety of corporations and educational centres that have networked computers sharing the same address and using the same browsers.

Please put me out of my misery :)

Thanks,

Karl.
0
Comment
Question by:KarlPurkhardt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 11

Expert Comment

by:ch2
ID: 18057315
On each login attempt you send your username and then your session fails and the validator updates the database.
0
 
LVL 11

Expert Comment

by:ch2
ID: 18057333
< Hey, I've created a Image Verfication class and I'm basically wondering if anybody knows how the larger companies store 'login attempts'

Usually in DB

< how they associate attempts with users.

Username you send and the one in the db.
0
 
LVL 4

Author Comment

by:KarlPurkhardt
ID: 18057781
Neither of those would work the same as www.gmail.com image verification.  For example, if I make several attempts (using different email addresses and passwords) I will still have to go through the image verification after x attempts, at this point, I can clear my cookies and I will still be prompted to validate via the image verification, even tho each attempt was made on a different account (different email/password) and I have cleared my cookies.
0
 
LVL 11

Assisted Solution

by:ch2
ch2 earned 60 total points
ID: 18057859
www.gmail.com use javascript, POST data and a certificate so just remove all and you cannot connect.
0
 
LVL 8

Accepted Solution

by:
John Kawakami earned 65 total points
ID: 18058562
They probably keep track of the IP address.  How can you be sure they don't track that?

They could, for example, have lists of IP addresses associated with any account you try to use.  If you try to get to foo@gmail.com from 1.2.3.4 and then from 2.3.4.5, maybe foo@gmail.com gets associated with both 1234 and 2345.

Then subsequent attempts from 1234 are linked to all the accounts you try, and same for 2345.  This creates a little pile of linked accounts, and that's your fingerprint.

I'm totally speculating here.  Seems like too much work, to me.
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How do I update select listbox after search 2 51
history of pages 7 54
Convert complicated date to yyyy-mm-dd format 22 54
PHP MYSQLI Connection in Function in a class 4 29
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question