What data can I pull from the user?

Outer · 08-22-2005, 03:40 PM

I know of USER_AGENT and IP Address, but I need more than that.

What other information can I retrieve from the user?

iNod · 08-22-2005, 03:45 PM

What do you need?

Mostly all you can pull is OS, Browser, IP, Res.. There are a few others.. But I forget which ones.

You can pull OS, Browser through User Agent.

iNod

Outer · 08-22-2005, 03:48 PM

Honestly, I need anything and everything :-/

NuPagady · 08-22-2005, 03:58 PM

Just use this command to check what you can get:

Code:

<? print_r($_SERVER); ?>

That's what you will get:

Quote:

[PATH] => /usr/local/bin:/usr/bin:/bin
[DOCUMENT_ROOT] => /home/nupagady/public_html
[HTTP_ACCEPT] => text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
[HTTP_ACCEPT_CHARSET] => ISO-8859-1,utf-8;q=0.7,*;q=0.7
[HTTP_ACCEPT_ENCODING] => gzip,deflate
[HTTP_ACCEPT_LANGUAGE] => en-us,en;q=0.5
[HTTP_CONNECTION] => keep-alive
[HTTP_HOST] => www.nupagady.info
????: NamePros.com http://www.namepros.com/programming/117709-what-data-can-i-pull-user.html
[HTTP_KEEP_ALIVE] => 300
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
[REDIRECT_STATUS] => 200
[REDIRECT_URL] => /test1.php
[REMOTE_ADDR] => some ip(I have removed mine

)
[REMOTE_PORT] => 1543
[SCRIPT_FILENAME] => /home/nupagady/public_html/test1.php
[SERVER_ADDR] => 63.247.87.154
[SERVER_ADMIN] => (removed my email)
[SERVER_NAME] => www.nupagady.info
[SERVER_PORT] => 80
[SERVER_SOFTWARE] => Apache
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /test1.php
[SCRIPT_NAME] => /test1.php
[PHP_SELF] => /test1.php
[argv] => Array

So you can get visitors IP, you can find out can user run flash or not, what is his/her accepted language, encoding and much more (just check variables starting with HTTP_).. and of course some server info as well too

Outer · 08-22-2005, 04:02 PM

Great ^^

Thank you for the help

NuPagady · 08-22-2005, 04:08 PM

np

when you will find in this list what you need, just use $_SERVER + ['what_you_need']
i.e., $_SERVER['HTTP_ACCEPT_CHARSET'] - that would be for charset
$_SERVER['HTTP_USER_AGENT'] - that would be for browser, etc.. don't forget quotes.

Good luck

Peter · 08-22-2005, 07:51 PM

remember if the person goes via a proxy some of the information may not be correct. Also not all browsers will give the same information (some can spoof as well)

Outer · 08-22-2005, 07:57 PM

I know the information can be spoofed.

What Im trying to do with all of this information is make a 128-bit secure code that pertains to that user only (like a session_id, just a bit more secure in my opinion)

It will rely on user information such as the IP, User Agent, etc.

Do you know the function that bypasses the Proxy server's address and gets the users true IP address?

nasaboy007 · 08-22-2005, 10:29 PM

wow thats pretty cool. thanks i can use that

Porte · 08-23-2005, 02:47 AM

NuPagady, very nice function, thanks for this.

Peter · 08-23-2005, 03:13 AM

Originally Posted by Outer

It will rely on user information such as the IP, User Agent, etc.

That may cause a problem on your web page. Certain users will not be able to use your page. For example AOL users, their IP can change from page to page.

Outer · 08-23-2005, 05:46 AM

Thats what I was thinking about also, but I could have the IP change with the user.

Either that, or have it rely on the first 3 digits in an IP address (since the first 3 don't change too often with the provider such as AOL)

AOL has these sets of IP's basically:
????: NamePros.com http://www.namepros.com/showthread.php?t=117709
<pre>
172.128.0.0/10----172.192.0.0/12----172.208.0.0/14----202.67.66.0/23
172.200.0.0/15----172.202.0.0/15----172.212.0.0/14----172.216.0.0/16
202.67.68.0/22----202.67.72.0/21----202.67.80.0/20----202.67.96.0/19
</pre>

I will probably pick one of those solutions, hence the reason I asked for more information in this thread, so I either dont have to base it off of the IP, or use it so as to not create *as much* problems

primacomputer · 08-23-2005, 12:59 PM

How about generating a 128 bit cookie and use that instead of a session id? What are you trying to accomplish? Why do you need something more “secure” than a session id?

Eric · 08-23-2005, 01:21 PM

There's quite a bit you can pull:
http://www.secondversion.com/ip/test.php
OS, OS Version, OS Vendor etc etc I have the script for that somewhere..

Atomical · 08-23-2005, 01:23 PM

What I used to do for sessions is this. When you log the user in store his ip address in a session variable. Then when he loads other pages check to make sure that the IP address matches the one you stored.

NuPagady · 08-23-2005, 01:27 PM

Originally Posted by nasaboy007

wow thats pretty cool. thanks i can use that

Originally Posted by Designporte

NuPagady, very nice function, thanks for this.

np, good luck in coding

Outer · 08-23-2005, 02:49 PM

It's a bit more complicated than just placing a 128-bit code inside of the cookie

Im doing it for the sole purpose of doing it. Making things more secure should be everyones initiative

I need it to be more secure because of the reason my new application will be protecting very sensitive data in which I do not want just anyone to have access to or easily be able to get through something to see that information :-/
????: NamePros.com http://www.namepros.com/showthread.php?t=117709

Everything has vulnerabilities, sessions and cookies alike. My little sessions makup here will probably have a few vulnerabilities. I don't want anything going through the URL or anything stored on the clients side, hence the reason for this.

Peter · 08-23-2005, 04:35 PM

1 thing you have to be careful about is making it too secure that it becomes awkward to use for the customer.

I do agree that security is a main concern but dont go overkill on it.

Also I would suggest being reluctant on using cookies, if you rely on them then that alienates a section of your audience, have a contingency plan for people who do not allow cookies.

Outer · 08-23-2005, 05:00 PM

I wont be using cookies for this project

I am keeping off of sessions and cookies completely.

I will make a seperate version in which cookies are enabled for two reasons (An additional check and remember me) but thats just about it...
????: NamePros.com http://www.namepros.com/showthread.php?t=117709

Originally Posted by SecondVersion

There's quite a bit you can pull:
http://www.secondversion.com/ip/test.php
OS, OS Version, OS Vendor etc etc I have the script for that somewhere..

Could you share the script to that? I think I know how you are doing it all, but not completely positive :-/

iNod · 08-23-2005, 05:09 PM

http://flubel.vphost.net/IPDNS/

If you pay me like 5$ I can give you the above script.. I would like to give it to you for free but it is like 800 lines or so.. So well..

iNod

Atomical · 08-23-2005, 05:15 PM

800 lines? More like four. I'll give you that script for free. Better yet, search freshmeat.net.

iNod · 08-23-2005, 05:57 PM

lol..

The script I posted above search your IP in Ip 2 Country DB. Does the http_user_agent and takes that and extracts it based on what that is it displays your complete OS not Windows NT 5.1 it displays Windows XP, Linux Redhat,etc it displays your browser.. Actual name not Mozilla/54432

It is 800+ lines..

iNod

Zubair1 · 08-23-2005, 10:00 PM

its hard tracking users with their i.p address's thanks to BIG ISP'S like AOL
giving users dynamic, which from that their i.p changes on every visit.

you really can't know if the person is the same as who you thought it was,
any body has solutions or ideas for this.?

primacomputer · 08-24-2005, 03:06 AM

Before you start looking at writing a solution like this I think you should go back to basics and read up a bit on various authentication systems and how they work. I think you'll find you are barking up the wrong tree.
????: NamePros.com http://www.namepros.com/showthread.php?t=117709

I have a passive fingerprinting system that keys off the user agent, network, route, etc. It also has an option to see around many proxy servers by using other protocols. In addition have an active fingerprinting system that profiles the users TCP/IP stack as well as any services they are running. This is very effective at detecting the same person logging in as different users. Even if they change their IP, clear their cookies, and restart their browser. But it it far from foolproof, and I wouldn't even dream of relying on it to replace session ids.

If you're worried about security try SSL. Then use the session ids/ cookies that are relatively secure within the SSL tunnel. If you want to keep an eye out for users who are cheating then add some fingerprinting and profiling on top of that. Session ids and SSL were designed to do what you want. Don't try to reinvent the wheel, especially if you haven't yet learned to make fire.

Atomical · 08-24-2005, 06:58 PM

This is really over kill. Either the poster has an inane sense of how to accomplish security or he's programming NSA's website. The best idea is to store the information you know about the user and force them to relogin if that information changes. I doubt anyone will have success brute forcing session id's. You could even modify php's session generator to be a mix of md5 and whatever else they use.

08-22-2005, 03:40 PM	THREAD STARTER #1 (permalink)
Outer NamePros Member Join Date: Jan 2005 Location: Texas USA Posts: 71	What data can I pull from the user? I know of USER_AGENT and IP Address, but I need more than that. What other information can I retrieve from the user? __________________ I wonder...

08-22-2005, 03:45 PM	#2 (permalink)
iNod Eating Pie Join Date: Nov 2004 Location: Canada Posts: 2,272	What do you need? Mostly all you can pull is OS, Browser, IP, Res.. There are a few others.. But I forget which ones. You can pull OS, Browser through User Agent. iNod __________________ I feel old.

08-22-2005, 03:48 PM	THREAD STARTER #3 (permalink)
Outer NamePros Member Join Date: Jan 2005 Location: Texas USA Posts: 71	Honestly, I need anything and everything :-/ __________________ I wonder...

08-22-2005, 04:02 PM	THREAD STARTER #5 (permalink)
Outer NamePros Member Join Date: Jan 2005 Location: Texas USA Posts: 71	Great ^^ Thank you for the help __________________ I wonder...

08-22-2005, 07:51 PM	#7 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	remember if the person goes via a proxy some of the information may not be correct. Also not all browsers will give the same information (some can spoof as well) __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

08-22-2005, 04:08 PM	#6 (permalink)
NuPagady NamePros Regular Join Date: Jul 2005 Location: Lithuania Posts: 482	np when you will find in this list what you need, just use $_SERVER + ['what_you_need'] i.e., $_SERVER['HTTP_ACCEPT_CHARSET'] - that would be for charset $_SERVER['HTTP_USER_AGENT'] - that would be for browser, etc.. don't forget quotes. Good luck

08-22-2005, 07:57 PM	THREAD STARTER #8 (permalink)
Outer NamePros Member Join Date: Jan 2005 Location: Texas USA Posts: 71	I know the information can be spoofed. What Im trying to do with all of this information is make a 128-bit secure code that pertains to that user only (like a session_id, just a bit more secure in my opinion) It will rely on user information such as the IP, User Agent, etc. Do you know the function that bypasses the Proxy server's address and gets the users true IP address? __________________ I wonder...

08-22-2005, 10:29 PM	#9 (permalink)
nasaboy007 Senior Member Join Date: Jul 2005 Location: NJ Posts: 1,219	wow thats pretty cool. thanks i can use that __________________ Hacksar.com - Your source for random computer tips and tricks! MySiteMemberships.com - Keep track of your site registration information! Like my post? Rep is appreciated!

08-23-2005, 02:47 AM	#10 (permalink)
Porte Senior Member Join Date: May 2005 Location: I'm right here Posts: 3,526	NuPagady, very nice function, thanks for this. __________________ WP Theme Developer Your One-stop for Premium Magazine/CMS WordPress Themes Deluxe Themes

08-23-2005, 05:46 AM	THREAD STARTER #12 (permalink)
Outer NamePros Member Join Date: Jan 2005 Location: Texas USA Posts: 71	Thats what I was thinking about also, but I could have the IP change with the user. Either that, or have it rely on the first 3 digits in an IP address (since the first 3 don't change too often with the provider such as AOL) AOL has these sets of IP's basically: ????: NamePros.com http://www.namepros.com/showthread.php?t=117709 <pre> 172.128.0.0/10----172.192.0.0/12----172.208.0.0/14----202.67.66.0/23 172.200.0.0/15----172.202.0.0/15----172.212.0.0/14----172.216.0.0/16 202.67.68.0/22----202.67.72.0/21----202.67.80.0/20----202.67.96.0/19 </pre> I will probably pick one of those solutions, hence the reason I asked for more information in this thread, so I either dont have to base it off of the IP, or use it so as to not create as much problems __________________ I wonder...

08-23-2005, 12:59 PM	#13 (permalink)
primacomputer Senior Member Join Date: Mar 2004 Posts: 1,402	How about generating a 128 bit cookie and use that instead of a session id? What are you trying to accomplish? Why do you need something more “secure” than a session id?

08-23-2005, 01:21 PM	#14 (permalink)
Eric Senior Member Join Date: Mar 2005 Posts: 4,948	There's quite a bit you can pull: http://www.secondversion.com/ip/test.php OS, OS Version, OS Vendor etc etc I have the script for that somewhere..

08-23-2005, 01:23 PM	#15 (permalink)
Atomical New Member Join Date: Jun 2005 Posts: 11	What I used to do for sessions is this. When you log the user in store his ip address in a session variable. Then when he loads other pages check to make sure that the IP address matches the one you stored.

08-23-2005, 02:49 PM	THREAD STARTER #17 (permalink)
Outer NamePros Member Join Date: Jan 2005 Location: Texas USA Posts: 71	It's a bit more complicated than just placing a 128-bit code inside of the cookie Im doing it for the sole purpose of doing it. Making things more secure should be everyones initiative I need it to be more secure because of the reason my new application will be protecting very sensitive data in which I do not want just anyone to have access to or easily be able to get through something to see that information :-/ ????: NamePros.com http://www.namepros.com/showthread.php?t=117709 Everything has vulnerabilities, sessions and cookies alike. My little sessions makup here will probably have a few vulnerabilities. I don't want anything going through the URL or anything stored on the clients side, hence the reason for this. __________________ I wonder...

08-23-2005, 04:35 PM	#18 (permalink)
Peter NamePros Expert Join Date: Nov 2003 Location: Scotland Posts: 5,069	1 thing you have to be careful about is making it too secure that it becomes awkward to use for the customer. I do agree that security is a main concern but dont go overkill on it. Also I would suggest being reluctant on using cookies, if you rely on them then that alienates a section of your audience, have a contingency plan for people who do not allow cookies. __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

08-23-2005, 05:09 PM	#20 (permalink)
iNod Eating Pie Join Date: Nov 2004 Location: Canada Posts: 2,272	http://flubel.vphost.net/IPDNS/ If you pay me like 5$ I can give you the above script.. I would like to give it to you for free but it is like 800 lines or so.. So well.. iNod __________________ I feel old.

08-23-2005, 05:15 PM	#21 (permalink)
Atomical New Member Join Date: Jun 2005 Posts: 11	800 lines? More like four. I'll give you that script for free. Better yet, search freshmeat.net.

08-23-2005, 05:57 PM	#22 (permalink)
iNod Eating Pie Join Date: Nov 2004 Location: Canada Posts: 2,272	lol.. The script I posted above search your IP in Ip 2 Country DB. Does the http_user_agent and takes that and extracts it based on what that is it displays your complete OS not Windows NT 5.1 it displays Windows XP, Linux Redhat,etc it displays your browser.. Actual name not Mozilla/54432 It is 800+ lines.. iNod __________________ I feel old.

08-23-2005, 10:00 PM	#23 (permalink)
Zubair1 NamePros Regular Join Date: Mar 2005 Posts: 912	its hard tracking users with their i.p address's thanks to BIG ISP'S like AOL giving users dynamic, which from that their i.p changes on every visit. you really can't know if the person is the same as who you thought it was, any body has solutions or ideas for this.? __________________ Live Support : Zubair11 [at] hotmail.com Free SEO Directory! \|\| Free Online TV \|\| Tech Blog Web Design & Web Development Services \|\| Reliable Web Hosting

08-24-2005, 03:06 AM	#24 (permalink)
primacomputer Senior Member Join Date: Mar 2004 Posts: 1,402	Before you start looking at writing a solution like this I think you should go back to basics and read up a bit on various authentication systems and how they work. I think you'll find you are barking up the wrong tree. ????: NamePros.com http://www.namepros.com/showthread.php?t=117709 I have a passive fingerprinting system that keys off the user agent, network, route, etc. It also has an option to see around many proxy servers by using other protocols. In addition have an active fingerprinting system that profiles the users TCP/IP stack as well as any services they are running. This is very effective at detecting the same person logging in as different users. Even if they change their IP, clear their cookies, and restart their browser. But it it far from foolproof, and I wouldn't even dream of relying on it to replace session ids. If you're worried about security try SSL. Then use the session ids/ cookies that are relatively secure within the SSL tunnel. If you want to keep an eye out for users who are cheating then add some fingerprinting and profiling on top of that. Session ids and SSL were designed to do what you want. Don't try to reinvent the wheel, especially if you haven't yet learned to make fire.

08-24-2005, 06:58 PM	#25 (permalink)
Atomical New Member Join Date: Jun 2005 Posts: 11	This is really over kill. Either the poster has an inane sense of how to accomplish security or he's programming NSA's website. The best idea is to store the information you know about the user and force them to relogin if that information changes. I doubt anyone will have success brute forcing session id's. You could even modify php's session generator to be a mix of md5 and whatever else they use.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
### No Bandwidth Bills ever again from just £59.99 ###	blackicehosting	Web Hosting Offers	0	07-22-2005 10:16 PM
Dedicated Servers from just £45 $90 + [UK] 1 TB Data Transfer P4 3.0GHZ Only £119	blackicehosting	Web Hosting Offers	0	07-12-2005 07:24 PM
Unmetered Summer Savings + 10% Discount	blackicehosting	Web Hosting Offers	0	07-02-2005 12:20 PM
New Site New Looks New Unmetered Savings	blackicehosting	Web Hosting Offers	0	05-29-2005 03:58 PM