I need to store the IP address, the User-Agent of the client who is requesting a particular web page, the name of the webpage being requested and the request time. I am planning to store the information in a table in the database(MySQL). But, the problem I can for-see is that every time the page is requested there will be a database entry, and in time it would take up a huge amount of space.
Does analytics tools like Google Analytics already store these information (IP-Address, User-Agent, Requested-Webpage-Name, Time) that I can access anytime in future (Say, i need to check the client's IP and User-Agent who viewed a particular page within a particular timeframe)? If not, is my approach the right way to do it? If not, what is the right way?
I found that nginx does this out of the box with it's access logs, which are stored in /var/logs/nginx/access.log. So, i just need to pare the access log data, using various tools available online.
Related
I am trying to solve the classical approach to how user login pass token is stored in web browsers. By default, anyone who can access the developer's consoles of the browser can obtain the content in password fields by looking at the HTML content of the input element or using javascript.
Because of this, if by mistake someone comes across your login password, he/she can use it on any browser to access your data from the server.
To solve this problem, I am researching a way which on an attempt to login the server will generate a unique pair ID from the client's Unique ID and let the client store this server generated ID as the user's login pass for this client only, such that if the server generated ID is used in attempt to log in from another browser, the server will compare the associated browser ID to the accessing unique ID before permitting access.
Consequently, A server generated login can only be valid on the client who generated the ID, the real password is never stored on the client, but only used on the first attempt to login on a client who does not have valid server ID. The user will have the opportunity to invalidate all the server-generated pass.
For this to work, I need a unique token from the browser such that if 10 instances of the same browser are installed on the computer within a time-space less than 1 second, the ID of this browsers will never be the same.
My question is, can such Unique ID be obtained from the browser? any suggestion on how to go about this is also appreciated.
In general, you can't uniquely identify a browser installation in the way you describe. This is, in part, to protect users' privacy from tracking across the web.
Your ultimate goal (preventing an attacker from authenticating if they discover the user's password), however, can be satisfied with a one-time-password system, like TOTP.
In a system like this, when an account is set up for one-time passwords, the user and service share a secret. Later, when the user logs in, they are prompted for a one-time password, which they generate using special software, which is isolated from the client, and ideally on another device. For example, the user might use the Google Authenticator app on a smartphone to generate a code that they enter on their desktop browser.
Even if the attacker captures the user's conventional password with a key logger, they can't authenticate themselves because they don't have access to the shared secret necessary to compute the one-time-password.
Universal 2nd Factor authentication is another approach to thwart key loggers based on some parallel concepts. (That is, it also uses a one-time code, generated with a secret that is securely stored rather than being exposed on the client.)
Is it possible to create a client-side only app, with no server backend, that stores data in a way that one user can see things stored by another user on the app?
To give some context, I am trying to create an cross platfor phone application, preferably using html, that will allow users to log their hours in a punch in, punch out style and then have these hours become viewable by a supervisor, however I will not have any server power to store any data.
I'm sure this is possible, perhaps using something like google spreedsheets or something similar to store this data, however I am at a loss how I would do this. Any help would be appreciated.
The short answer is "No."
However you can use a service such as Firebase to host your data for you.
I have been reading up about html localStorage but I've read contradicting information. All I would like to know is if I was to save information using localStorage was the user of that computer be the only person able to access/view the information that they had inputted into a form? Or can it also be viewed by users on different devices?
I am thinking to use local storage in an admin page that many people are allowed to access too, instead of sessions. And all users must be able to edit and view information from different devices and using different login details.
The localStorage is called like that because it can be accessed only locally. So you cannot use it to share the data across different clients. You need to use some server to store the data and provide it to your users.
The localStorage object stores data on the users computer permanently, and that data can only be accesses on the users computer by the same origin or domain name, so if you want shared data you have to use some sort of server side mechanism.
My question is as follows. When I recieve a usage fee for an application I developed in Access 2007 I send out the application to my client, but how do I make sure that the client won't simply copy the database and redistribute it. Thus letting the client's client avoid the usage fee for the application.
I have put a 128-bit encryption on the application to secure the data in the tables and also converted it from a .Accdb to .Accde to secure the forms, reports, query's and VBA.
Also, I let them sign a legal document in which it states that the application cannot be redistributed unless authorized by me, but of course I'd rather they couldn't even if they tried.
What are my options here? I thought about linking a license code (handmade by me) to a certain MAC-Address that I can retrieve with VBA. And only making the database usable in case they match. But would this even work and is it easy to bypass?
Any help would be greatly appreciated,
thanks in advance for any suggestions/replies.
Edit: Thanks Dork Programmer for your reply.
In the end I chose to go for the drive volume number to give access to the application. I am aware that this changes when the disk is formatted and there is a slight possibility that it is not unique, however I believe this will have to do as I am unable to retrieve the manufactures hard drive serial number (which would be unique)
In conclusion; the client wil give me their drive vol number, I then add this to a table that holds these numbers. I then apply all my security measures and send the client the app. When the application opens the app will only be usable if a match is found between the clients disk vol number and the values in the table, else it will close the app. Should a client decide to format his/her disk or remove it they could then contact me and I'd add the new number to the approved numbers table and send them the app back.
I just sharing what I did on my ms-access application
First, I create some form with the VBA code inside to enter the unique code
Then I create some Hidden table to store the unique code and also to store the IP address/Computer name that database located.
Based on my experience, this method is quite enough effective to avoid user copying the database or moving it to another computer.
The problem I am trying to tackle is simple. I have two pages - the first is a registration page, I take in a few fields from the user, once they submit it takes them to another page that processes the data, stores it to a database, and if successful, gives a confirmation message. Here is my issue - the data from the user is sensitive - as in, I'm using an https connection to ensure no eavesdropping. After that is sent to the database, I'd like on the confirmation page to do some nifty things like Google Maps navigation (this is for a time reservation application). The problem is by using the Google Maps api, I'd be linking to items through a unsecure source, which in turn prompts the user with a nasty warning message. I've browsed around, Google has an alternative to enterprise clients, but it costs $10,000 a year. What I am hoping is to find a workaround - use a secure connection to take in the data, and after it is processed, bring them to a page that isn't secure and allows me to utilize the Google Maps API. If any of you have a Netflix account you can see exactly what I would like to do when you sign-in, it is a secure page, which then takes you to your account / queue, on an unsecure page. Any suggestions? Thanks!
I generally advise never to skip security features, because they are there for a reason, but i found this for you to check out.
Perhaps it is time to consider retiring support for IE6?