A place to discuss Joel on Software. Now closed.
This community works best when people use their real names. Please register for a free account.
Joel on Software
Business of Software
Design of Software (CLOSED)
.NET Questions (CLOSED)
Fog Creek Copilot
The Old Forum
Albert D. Kallal
I'd like to implement a feature as part of the login process for my website that determines if a user has logged in with the computer before. Basically if they are using a computer they've either 1)originally registered with or 2)logged in previously with I will just prompt them for a username/password. If it is a computer the application has not seen before (for that user) I want to require an additional credential (I'm thinking a security question).
I know I could probably accomplish this with a cookies but I'm wondering if there is a better way. Possibly something using a combination of ip and user agent string. Anyone have good ideas on how this could be implemented?
Also any links would be great. I'm not even sure what to search for.
Wednesday, May 30, 2007
> Use a cookie. That's what they're for. A browser should not be able to tell you anything else that will enable you to uniquely identify the client.
IP address and user-agent string are non-unique.
Wednesday, May 30, 2007
By the way, a lot of financial sites are now doing this kind of checking, for anti-phishing purposes. If you've logged in to the account from that computer already, then they display a picture you've chosen so you'll know it's the real site and not a fake. If you haven't logged in before, they demand extra info and have you choose a picture (and maybe also a description string for the computer, like "Jane's home computer").
The downside of course is that users can disable or delete cookies.
As exception guy pointed out, that's ok in the case of financial web sites. Being asked additional security questions is a good thing. It's like having a gas valve "fail closed" instead of "fail open". Something goes wrong, the gas is shut off as opposed to forced/left open.
For non-critical websites, I think the whole "are you on your normal computer?" idea is overkill and doesn't add much value. If I'm on a Chelsea fan club web site and I'm arguing whether we should keep or let loose Shevchenko, I wouldn't want the computer to quiz me again when I moved from my laptop to my desktop.
The reason I'm making that point is that what you plan to do with the info does impact the question of which techniques are worth implementing.
Thursday, May 31, 2007
This topic is archived. No further replies will be accepted.Other recent topics
Powered by FogBugz