0

I am implementing classroom check-in system that is tied to specific desktops. Unfortunately all I have is a public facing webserver to work with and don't want students able to copy the checking url and falsify check-ins, or login with staff credentials and get access to other tools on the site. Also the computers are on a network where they DHCP regularly reassigns ip's so pinning on IP is not a reliable method of client validation. So I was thinking evercookies, I could have a staff member log into the check-in website from the computer set an evercookie then logout to prevent use of lat login for accessing other tools on the website. When the check-in site is loaded it does a check for the evercookie and as long as a certain threshold is met the check-in page is presented. This has the added benefit of bypassing php/apache's session timeouts.

Or am I barking up the wrong tree and there is a better way to fingerpint the authorized client?

Tyson of the Northwest
  • 2,086
  • 2
  • 21
  • 34

1 Answers1

0

Relying on an evercookie leaves you open to cookie hijacking.

In your case, someone could steal the evercookie id, and use it from another machine, making your application believe it's receiving requests from one of the specific desktops when it is not. The evercookie id could be stolen by a sophisticated user directly from the machine.

Using a strong cookie id, a strong hash, lots of entropy, etc., will not help in this case.

Changing the evercookie identifier often would invalidate any previously stolen cookies. However, this would require that someone manually intervene to regenerate the cookies periodically. This could be automated, and the updated cookie IDs could be pushed to your server with custom software over a secure connection, but that opens the possibility of the software being stolen and used on another machine.

As a rule of thumb, depending on the client to uniquely identify itself is not reliable.

If your IP addresses are assigned via DHCP, but come from some predictable set, you could implement IP checking based on a known range of IPs.

You could deploy custom software on the machine and "handshake" to it from the server. It could generate a unique id based on the hard drive serial number, a MAC address, etc. However, your custom software could be stolen and installed elsewhere by a sophisticated user, or reverse-engineered.

siliconwafer
  • 732
  • 4
  • 9
  • But with evercookies not using the standard session cookie id, but setting a wide range of identifiers, (page histories, flash cookies, etc) wouldn't that put make replicating them on another machine difficult? – Tyson of the Northwest Apr 20 '15 at 18:48
  • Difficult perhaps, impossible no. It's "security through obscurity". http://en.wikipedia.org/wiki/Security_through_obscurity – siliconwafer Apr 20 '15 at 19:09