I’m developing a distributed software (in python) that I intend to run on the web (browser) and I came across a question about session id? For this, I need to develop a solution ( Stateful ) between ( Browser and Server ) to establish a unique, identified and persistent session. I researched about (External IP, Mac Address and Authentication Http) but practically all of these can be dynamic in order not to be identified. In an honest and transparent way, I ask, what immutable device (hardware) resource can I use to capture, identify the (Computer, whether on a private network or not) and be able to generate a session (stateful) regardless of whether the user is logged in or not in the web application ?
Your question is not about Python but rather about the HTTP protocol and web browsers.
Web browsers intentionally limit the information they provide to the web server because it can be misused:
Here you can check how unique fingerprint can be obtained from your web browser:
The normal way how you identify a web browser instance is that you generate your unique ID and store it in a cookie (tracking cookie) into the web browser.
Thank you for the initiative I know the resources of cookies and sessions but it is not the case.
Ok, so what is the case? Web browsers will not provide a unique ID for the security reasons.
Why do not you want to use your ID stored in a cookie?
Instead of using cookies are you willing to require installing an agent on the client computers which will be able to create an unique ID from the computer’s hardware and firmware?
Cookies can be deleted by the user (just cleaning the browser) giving a little more work to identify the user.
In the TCP/IP protocol stack, there is a (Link) layer, where the mac addresses of the origin device (client-side) and destination device (server-side) are located, which deal with communications issues (local and remote).
In the python language there is a module ( uuid ) that allows me to capture the mac address of a local device, executing the code below:
import uuid, re
macs = ':'.join(re.findall('..', '%012x' % uuid.getnode()))
print(macs)
The code above is functional, but if I run the same code on a web server, it gets the mac address of the server and not the user’s device ( origin ).
I believe that I need to use a low language to be able to access this fundamental resource when identifying a user on a private or local network.
Yes. Every user should be able to delete cookies. It would be really miserable if they were prevented from doing so. Your application just needs to handle and communicate the situation to the user the right way.
uuid.getnode()
What makes you think that this function is able to retrieve information about a remote computer? How would you even choose which machine to get the information from? The function gets the MAC address from the machine the code runs on.
Note that MAC address is not guaranteed to be constant. 1. The interface can be replaced. 2. The MAC can be changed. 3. The network interface can be virtual with a dynamically generated MAC. 4. A machine can have an IP connectivity without having a MAC address.
Is your application limited to the local network without routers in the way? I.e. the clients are in the same broadcast domain on a network switch as the server?
If so then there are ways how to get the MAC address (with some limitations).
Otherwise there is no standardized way and you would need to use a software running on the client - the agent I mentioned.
I noticed that you opened a new topic about this: