USER_AGENT consistency

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mu-ziq
Forum Newbie
Posts: 11
Joined: Fri Jul 08, 2005 9:42 pm

USER_AGENT consistency

Post by mu-ziq »

Hi.

I am trying to develop a login script whose security partially relies on USER_AGENT consistency from request to request. Recently I've discovered that people use applications that cycle through a list of proxies every N minutes/seconds to stay anonymous. Logically my thinking is, this proxy jumping will affect USER_AGENT consistency but I cannot be sure as I started programming websites not too long ago.

Could someone confirm or deny my concerns?

Thanks a lot.
User avatar
neophyte
DevNet Resident
Posts: 1537
Joined: Tue Jan 20, 2004 4:58 pm
Location: Minnesota

Post by neophyte »

User agents can be changed. I like timvw suggestion for building a user fingerprint:

viewtopic.php?t=34468

Hope that helps.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: USER_AGENT consistency

Post by Roja »

mu-ziq wrote: Could someone confirm or deny my concerns?
I can definitively confirm that the user agent cannot be counted on to be consistent through a session. AOL users, anonymization-service users, and even some national ISP proxies all can and do change the user agent inconsistently.

IP's also cannot be relied upon.

The best you can hope for is establishing a session, and maintaining the session against the session cookie.
Post Reply