Security - Detecing user's device details on website.

Question

Is it possible to detect these for visitors or registered users on my website without using any plugins? I am creating the security features so scouting around for things i can detect for added security alerts. Security is very important with this service due to storage of confidential information so I am trying to use different security layers. One layer is to auto-detect device details for usage patterns and flag accordingly. But I need to know if these can be detected:

• If they are using Wireless internet or LAN.
• If wireless then the SSID.
• MAC address of network card
• Computer name
• Current screen resolution user is using
• ISP user is using
• User account currently logged in the OS.

* Also, what else can we detect to uniquely identify a device? All all the above is good but can still change. Only item I can think of is Serial number of the device. Which I am not sure if we can detect without plugings.

Platform is PHP but ofcourse can integrate any language if it is possible to detect these in some other language.

Answer 1

The only thing you can get without a plugin is the ISP, but even that may be lying if they're using a proxy belonging to someone else. Generate a SSL certificate for them to install into the browser if you need any sort of actual client authentication.

Answer 2

What you can guess:

• mac address (you have to use external command line tools, because it is not supported in PHP by default, see: http://bugs.php.net/bug.php?id=45980; however this works if you are in the same LAN as the client)
• resolution (this can be done only in JavaScript)
• isp (this usually works, but the user can use proxies or tor)

But beware, because most of these information can be easily faked.

Answer 3

If they are using Wireless internet or LAN.

No

If wireless then the SSID.

No

MAC address of network card

No

Computer name

You can perform a reverse DNS lookup on the IP address

Current screen resolution user is using

JavaScript can give you this

ISP user is using

A whois on the ip may give you this

User account currently logged in the OS.

No

Provisos with the IP: It will be the Internet facing IP that the request comes from. A proxy or NAT and obscure it.

Answer 4

No, you can't. At least not from a security perspective. You're effectively asking the user "are you allowed?", which is pointless.

What you can do however (as Yorirou said), is to guess these things to help the user. This is different since you are not trying to stop users with "bad" whatever, but help them by telling them to upgrade or change something.

If you do this, you have to be very clear about the difference.. and document it so the next guy does not f#¤ it up.. which he will.. and he'll trust a "security" property (i.e., the user is not on a wireless) which is really just a guess.