I am thinking of building a UUID for web users by getting a hash of (pseudocode):
WebSession.Platform + WebSession.Browser + WebSession.RemoteAddressie if they change device, browser or IP address it is considered a different device. I need it so users can authenticate themselves on new devices as 2FA and build up a series of authenticated PCs. I am aware that the user will need to re-authenticate if their IP address or browser changes.
Any comments or improvements?
What if the ip changes with (theoretical) every connect? Some provider dont have official IPs for their customers.
Why not using cookies?
My concern is that if I don’t use WebSession.RemoteAddress then all the PCs in an office are now authorised for that user login (once one is authorised).
I want users to have to authorise (with a code sent to them) each new PC. If they’re sent a code and they didn’t try to authenticate, they’ll know someone is trying to connect into their account (and will be blocked).
Hmm, User Logs in, you set an identifier as clientcookie.
Clients sends that cookie and you could identify that client…
Yes! That random Cookie value is also stored in the User database table. The user can later remove that value from the database (eg from a Cyber Cafe) requiring re-authorisation later. Moving from PC to PC, even with the same IP address, requires authentication because the random Cookie value will not match.
I will also keep the WebSession.Platform + WebSession.Browser + WebSession.RemoteAddress as a reminder of which PC each authorisation is referring to.