A look into various methods of online user tracking without cookies.
This can also be combined with a browser fingerprinting library for generating the new id.
There is a feature of HTTP requests called an ETag Header which can be exploited for the sake of user tracking. The way an ETag works is when a request is made the server will respond with an ETag header with a given value (usually it is an id for the requested document, or maybe a hash of it), whenever the bowser then makes another request for that document it will send an If-None-Match header with the value of ETag provided by the server last time. The server can then make a decision as to whether or not new content needs to be served based on the id/hash provided by the browser.
As you may have figured out, instead we can assign a unique user id as the ETag header for a response, then when the browser makes a request for that page again it will send us the user id.
This is useful, except for the fact that we can only provide a single id per
user per endpoint. For example, if I use the urls
/collect/data there is no way for me to get the browser to send the same
If-None-Match header for both urls.
from uuid import uuid4 from wsgiref.simple_server import make_server def tracking_server(environ, start_response): user_id = environ.get("HTTP_IF_NONE_MATCH") if not user_id: user_id = uuid4().hex start_response("200 Ok", [ ("ETag", user_id), ]) return [user_id] if __name__ == "__main__": try: httpd = make_server("", 8000, tracking_server) print "Tracking Server Listening on Port 8000..." httpd.serve_forever() except KeyboardInterrupt: print "Exiting..."
Redirect caching is similar in concept to the the ETag tracking method where
we rely on the browser cache to store the user id for us. With redirect caching
we have our tracking url
/track/, when someone goes there we perform a 301
/<user_id>/track. The users browser will then cache that 301
redirect and the next time the user goes to
/track it will just go to
Just like the ETag method we run into an issue where this method really only works for a single endpoint url. We cannot use it for an end all be all for tracking users across a site or multiple sites.
from uuid import uuid4 from wsgiref.simple_server import make_server def tracking_server(environ, start_response): if environ["PATH_INFO"] == "/track": start_response("301 Moved Permanently", [ ("Location", "/%s/track" % uuid4().hex), ]) else: start_response("200 Ok", ) return [""] if __name__ == "__main__": try: httpd = make_server("", 8000, tracking_server) print "Tracking Server Listening on Port 8000..." httpd.serve_forever() except KeyboardInterrupt: print "Exiting..."
A project worth noting is Samy Kamkar’s Evercookie which uses standard cookies, flash objects, silverlight isolated storage, web history, etags, web cache, local storage, global storage… and more all at the same time to track users. This library exercises every possible method for storing a user id which makes it a reliable method for ensuring that the id is stored, but at the cost of being very intrusive and persistent.
I am sure there are other methods out there, these are just the few that I decided to focus on. If anyone has any other methods or ideas please leave a comment.