0

I'm looking for an unique identifier of clients in WebApi Core 2.0
I tested HttpContext.Connection.Id, it's the same for all browsers!

[HttpGet]
public IActionResult GetConnectionId()
{
    return Ok(new
    {
        ConnectionId = HttpContext.Connection.Id
    });
}

Also I test it with a virtual machine, it was the same for all clients
How to get unique identifier of clients in Asp.Net WebApi Core 2?

Mohammad Dayyan
  • 21,578
  • 41
  • 164
  • 232
  • 1
    Set a cookie for your client, then read that cookie in subsequent requets - here is uniquie identifier. – Evk Nov 30 '17 at 08:13
  • Consumer of web api are cookie less, like software, robots, ... – Mohammad Dayyan Nov 30 '17 at 08:15
  • Have them pass in an ID? – ProgrammingLlama Nov 30 '17 at 08:15
  • 1
    Then what kind of unique id you expect? From which information? – Evk Nov 30 '17 at 08:15
  • How about the MAC address as unique id? – Georg Patscheider Nov 30 '17 at 08:30
  • `How about the MAC address as unique id?` Great, how can I access it in WebApi Core? – Mohammad Dayyan Nov 30 '17 at 08:33
  • `Then what kind of unique id you expect? From which information?` I want to store something in server by each client Id, and find them in next requests – Mohammad Dayyan Nov 30 '17 at 08:35
  • @john: maybe, not allways – Mohammad Dayyan Nov 30 '17 at 08:36
  • [You can't get the client MAC](https://stackoverflow.com/questions/3309122/how-can-i-get-a-mac-address-from-an-http-request). [Another link against MAC addresses](https://stackoverflow.com/questions/839973/how-to-get-a-clients-mac-address-from-httpservlet). And each request is separate from the previous request, so unless you have coopoeration from the client, you can't do what you want at all. – ProgrammingLlama Nov 30 '17 at 08:36
  • The closest you could do is assume one IP = one identity, but we already know that's a bad idea. – ProgrammingLlama Nov 30 '17 at 08:36
  • 1
    What you are looking for is *authentication*, i.e. finding out who the caller is. You should look into e.g. JWT bearer token authentication. – juunas Nov 30 '17 at 08:40
  • 1
    When you say a unique identifier, are you looking for something that will tell you whether multiple API calls were made from the same client-side application? If so, you need to make that part of your API design (that the client passes some sort of session identifier to each API. If the client is a web browser that can be done via cookies as mentioned above). Or do you mean that you need someway for your web service to identity a connection that's currently open (given that it might be processing multiple requests simultaneously)? – Dylan Nicholson Nov 30 '17 at 08:41

1 Answers1

5

There is no such thing as a "unique identifier for a client". HTTP is stateless. The HTTP protocol is actually designed in such a way on purpose. Any client should be able to communicate with any server, regardless of past communication. This enables concepts like load-balancing, failover, etc.

Things like sessions, cookies, etc., have been layered on top of the HTTP protocol to enable a form of state, but rather than being a true feature of the protocol, they are a cooperative effort between servers and clients. Both the client and server must participate in the process to enable state to be achieved. Cookies, in particular, are what enables companies like Google, Facebook, et al., to track a user from site to site. However, as you've correctly indicated, cookies are incompatible with REST-based APIs.

Therefore, your only option is authentication. By forcing the client to authenticate, you can then know exactly the identity of the client and track that client's activities. Nothing else will suffice. There is no way to access client details such as a MAC address, because you can only access what the client chooses to share, and that is not one of those things. Even if it was, it could be manipulated. IP addresses once were somewhat identifying, but in this age of WAPs, proxies, VPNs and such, a single IP could be used by any number of unique clients. Also, again, the IP address can be spoofed as well, so even if you could identify a client by IP, it wouldn't ensure that you were truly dealing with that client.

There's various forms of authentication you can choose from. JWT (JavaScript Web Tokens) are popular nowadays, but you can just as easily use client authentication, certificate authentication, OAuth, OpenID, etc. The main point is to simply force the client to authenticate, in some form. Only then can you identity the client.

Chris Pratt
  • 232,153
  • 36
  • 385
  • 444