views:

113

answers:

2

How can i log Requests to get unique visitors of my webpage but without saving his ip?

Hashing?

A: 

Yep, hashing would do. Just take an md5() of the user's IP and use that as a key to your datastructure (which can be a database, some file, or whatever you prefer).

A database table mapping md5(IP_ADDRESS) to a number should do the trick.

skrebbel
+1  A: 

Yes, if you hash the IP address with MD5 or SHA1 you'll get the same hash for a given IP, but without the ability to easily reverse it.

However, if you did want to reverse it, and knew the salt (if any was used) you have a head start in attempting to reverse it as you know the plaint text is a dotted quad. You could even narrow the search space to particular country IP blocks too.

If this is a concern, instead of a 128 bit hash like MD5, use a 32 bit hash so that the hash space is the same size as the IP address space. To do this, you could simply truncate an MD5 hash. You'll certainly get collisions, but attempting to reverse is less likely to give you much to go on.

Paul Dixon
jea thats right, with the new cuda supporting tools even a regular computer has enough power to crack such a thing very very fast. as you have 10^12 possibilites you would need lesss than an hour to resolve ALL (!) ips no matter how big your database is. So if you want to prevent getting the IPs back I guess you need something like a salt which is generated new for every day and overwritten on the next day so you cant restore it
Flo
An IP address is 32 bits. There are at most 2^32 (really more like 2^31). Brute-forcing 2^32 MD5s is quick on modern hardware, and rainbow tables exist for MD5. *This provides no security*
derobert
@Flo: Changing salts regularly sort of defeats the ability to do unique visitors analysis.
derobert
daily salt should not be the problem, because i only need something like a id to count the daily visitors.2 Salts + SHA1 + one day log (log will be cleared and analyzed at the end of a day), is this enough? If not how to save Passwords, right? o.0
Stupid2.de
if you clear the log everyday and only save the stats, using a daily salt makes no more sense, and a more flexible one will kill the ability to resolve uniques. Saving the IP directly will not be too bad if you delete it within 24hours anyways.
Flo
@derobert That's why I suggest truncating the hash to greatly increase the chance of collisions - you want a hash to give you enough collisions that you could NOT reliably figure out which one was actually used to generate the hash. This isn't really a security question, but one of privacy.
Paul Dixon