Identifying a client behind router/firewall

Question

In my web-app I need to register http clients accessing from a local network behind a router.

I started with remoteHost : remotePort combination, but soon enough it became clear, that the port numer gets regenereated upon each connection.

I need to be able to identify the clients on something similar to MAC address, some property that doesn't change. I wanted to use headers[ "X-Forwarded-For" ], but it's not present at all:

[Pragma=no-cache, Cache-Control=no-cache, Host=somhost.com:8822, Upgrade=websocket, Connection=Upgrade, Sec-WebSocket-Key=scnlM7hzjjy3cklJhJciA==, Sec-WebSocket-Extensions=x-webkit-deflate-frame,deflate-frame, Sec-WebSocket-Version=13]

What are the other options to identify clients?

You could create an API key for each client. They must send such key in the request when accessing your application. — cassiomolin, Sep 22 '16 at 14:11
Are you willing to assign a unique identifier for each client? — cassiomolin, Sep 30 '16 at 10:10

score 0 · Answer 1 · answered Sep 25 '16 at 15:46

0

One option is using cookies. As the client accesses the webapp for the first time we could set a cookie on the client side that has a very long expiry date.

During the subsequent user re-logins we can rely on this cookie as cookies get sent to the server.

answered Sep 25 '16 at 15:46

Madhusudana Reddy Sunnapu

8,064
2
18
29

and what would be the cookies' value? – injecteer Sep 25 '16 at 22:45
I believe `registering HTTP client ` refers to the host if so we could use IP address as the the cookie value. – Madhusudana Reddy Sunnapu Sep 26 '16 at 03:19
I suspect I might have got the question wrong. But when you say `register http clients`, I think you want to identity from the webapp (server) the client(i.e., the host machine) which is trying to access the webapp. If it is right, then wondering why wouldn't the cookie approach work? Or did it misinterpret it? – Madhusudana Reddy Sunnapu Sep 26 '16 at 14:48
you misinterpreted the question indeed. – injecteer Sep 27 '16 at 12:28

score 0 · Answer 2 · answered Sep 30 '16 at 10:00

0

You can try this bit of PHP to see what the server knows about an incoming http request:

$keys = array_keys($_SERVER);
echo "<table bgcolor='black' cellpadding='1' cellspacing='1'>\n";
echo "  <tr bgcolor='yellow'><td><b>Key</b></td><td><b>Value</b></td></tr>\n";
foreach ($keys as $key) {
   echo "  <tr bgcolor='white'><td>" . $key . "</td><td>" . $_SERVER[$key] . "</td></tr>\n";
}
echo "</table>\n";

answered Sep 30 '16 at 10:00

hairysocks

111
7

I don't use php – injecteer Sep 30 '16 at 10:01
`bgcolor`?! Is that serious? – cassiomolin Oct 01 '16 at 19:29

score 0 · Accepted Answer · edited May 23 '17 at 12:00

You could use an API key, that is, a unique identifier that the clients send along with each request to identify themselves. Depending on the authentication method you are using, you could consider the standard HTTP Authorization header to send this value:

Authorization: API-Key <value goes here>

Or create a custom HTTP header for this purpose. But be careful with custom headers: proxies might strip them out.

score 0 · Answer 4 · answered Sep 30 '16 at 23:05

Are you identifying the user at the keyboard or the device making the request? Do you need to track these long term or only for the duration of a use session? Do your users connect from multiple devices?

Client side id certificates could work, depending on how the local machines are managed. If they are accessing your app from someplace they've already authenticated, then setting up a single sign on solution could work. Prompting for authentication always works too.

Identifying a client behind router/firewall

4 Answers4