If a person clears their cookies and changes their IP address, is there ANY way for a website to identify that computer as a computer that has "been here before"? In other words, no identifiable information like MAC can ever be known over HTTP, right? (I've looked through the list of headers and only see cookies and user-agent).
Also - same goes for a mobile device. If the mobile clears cookies, is there any way to identify it as a repeat visitor?
Thanks!
Chad
Not at the application level. As you correctly determined, the user can change everything that is sent in an HTTP request.
As for the MAC address, the MAC address is used in the link level of the internet protocol. It is not transmitted along multiple hops when making any sort of internet communication, thus unless you are 1 hop away from the client, you cannot use this information either.
Bottom line, can't really be done. If someone really wants to be forgotten, then they will be forgotten.
There are other ways to identify individual users without cookies -- based on a variety of information leaked by the browser and associated plugins. Check out Panopticlick for an example. It's probably not as effective with mobile browsers because (as far as I know) they don't have plugins like desktop browsers.
If you look at a site such as browserspy, you will see that a website can find out quite a bit more from a browser then the stuff you see just by looking at your request headers. And security researchers have done some investigation of the idea of uniquely identifying a browser based on those characteristics (e.g. what plugins you have installed, what fonts you have installed, etc.). But nothing like this is truly reliable (for one thing, much of this will change simply by switching to a different browser on the same computer). There is certainly no "official" unique identifier such as a MAC address.
As others have said, no, there's nothing you can do for normal browser access.
For mobile devices (at least via WAP) there is an extra CGI parameter (the name of which escapes me) which the gateway is suposed to populate with an identifier which is unique to that mobile devices phone number - however implementations vary.
C.