Page 1 of 1

USER_AGENT consistency

Posted: Fri Jul 08, 2005 9:50 pm
by mu-ziq
Hi.

I am trying to develop a login script whose security partially relies on USER_AGENT consistency from request to request. Recently I've discovered that people use applications that cycle through a list of proxies every N minutes/seconds to stay anonymous. Logically my thinking is, this proxy jumping will affect USER_AGENT consistency but I cannot be sure as I started programming websites not too long ago.

Could someone confirm or deny my concerns?

Thanks a lot.

Posted: Fri Jul 08, 2005 10:23 pm
by neophyte
User agents can be changed. I like timvw suggestion for building a user fingerprint:

viewtopic.php?t=34468

Hope that helps.

Re: USER_AGENT consistency

Posted: Sat Jul 09, 2005 4:05 am
by Roja
mu-ziq wrote: Could someone confirm or deny my concerns?
I can definitively confirm that the user agent cannot be counted on to be consistent through a session. AOL users, anonymization-service users, and even some national ISP proxies all can and do change the user agent inconsistently.

IP's also cannot be relied upon.

The best you can hope for is establishing a session, and maintaining the session against the session cookie.