The Joel on Software Discussion Group (CLOSED)

A place to discuss Joel on Software. Now closed.

This community works best when people use their real names. Please register for a free account.

Other Groups:
Joel on Software
Business of Software
Design of Software (CLOSED)
.NET Questions (CLOSED)
Fog Creek Copilot

The Old Forum

Your hosts:
Albert D. Kallal
Li-Fan Chen
Stephen Jones

Determine if a user has logged in with a specific computer

I'd like to implement a feature as part of the login process for my website that determines if a user has logged in with the computer before.  Basically if they are using a computer they've either 1)originally registered with or 2)logged in previously with I will just prompt them for a username/password.  If it is a computer the application has not seen before (for that user) I want to require an additional credential (I'm thinking a security question).

I know I could probably accomplish this with a cookies but I'm wondering if there is a better way.  Possibly something using a combination of ip and user agent string.  Anyone have good ideas on how this could be implemented? 

Also any links would be great.  I'm not even sure what to search for.
Wednesday, May 30, 2007
Cookies are the best way.
Wednesday, May 30, 2007
> Use a cookie.  That's what they're for.  A browser should not be able to tell you anything else that will enable you to uniquely identify the client.

IP address and user-agent string are non-unique.
Wednesday, May 30, 2007
Joe's right - users can have a dynamically assigned IP address, or be behind a proxy server. Better to use cookies to do this.

By the way, a lot of financial sites are now doing this kind of checking, for anti-phishing purposes. If you've logged in to the account from that computer already, then they display a picture you've chosen so you'll know it's the real site and not a fake. If you haven't logged in before, they demand extra info and have you choose a picture (and maybe also a description string for the computer, like "Jane's home computer").
Exception guy Send private email
Wednesday, May 30, 2007
The downside of course is that users can disable or delete cookies.

As exception guy pointed out, that's ok in the case of financial web sites. Being asked additional security questions is a good thing. It's like having a gas valve "fail closed" instead of "fail open". Something goes wrong, the gas is shut off as opposed to forced/left open.

For non-critical websites, I think the whole "are you on your normal computer?" idea is overkill and doesn't add much value. If I'm on a Chelsea fan club web site and I'm arguing whether we should keep or let loose Shevchenko, I wouldn't want the computer to quiz me again when I moved from my laptop to my desktop.

The reason I'm making that point is that what you plan to do with the info does impact the question of which techniques are worth implementing.
Thursday, May 31, 2007

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz