Open jegger-c opened 5 years ago
hcontreras
commented
5 years ago Same issue here!
We're getting the same fingerprint.hash for two different users. I'm using it using only the userAgent. What other parameter can I use in order to distinct two identical device models?
It's important to me that fingerprint.hash is the same whether they switch from wifi to mobile carrier data or not.
Any suggestion?
stoneRdev
commented
4 years ago I'm not from the team at all, but I can share some experience using this module.
From what I have seen, a lot of mobile browsers (and I mean a lot) will have the same information, and there for the same hash. From a couple runs local in Los Angeles (and whoever else connected), we saw that about %35 of mobile users reported the same hash across different devices. From what we can gather, most mobile browsers report generic user agent info and the same accept-headers (referring to the default options). But since this was a local experiment that just happened to include this fingerprint package, we didn't do a full analyses on it, and the geoip option was pretty useless since most ISP's and mobile operators aren't good at reporting accurate locations, and will usually have the location of the nearest relay station, whether it be an antenna or routing hub.
@hcontreras I'm having a similar issue, and I've decided that adding the users ip to the mix would make fingerprinting a lot more flexible, but I'm having an issue with how the fingerprinting is structured, as there's no way to access the 'req' object in the function call for 'Fingerprint', there's no way to reference the ip for the fingerprint (or any other request data for that matter, without major complication). See #15 that I just opened.
This is a really easy fix as well, from what I see, just simple changing line 30 here to },req,res) and then the req/res objects can optionally be available by using custom parameter functions like function(next,req,res) {...} while still being backward compatible.
stoneRdev
commented
4 years ago @hcontreras if it interests you, I have submitted a PR (#16 ) that provides the 'req' and 'res' objects in parameter functions. I am going to be testing this with regards to fingerprinting the same mobile device on different browsers independent of ip or connection type using a combination of express-fingerprint and 'fingerprintjs' and storing a hash table of server reported fingerprints and client reported fingerprints. Hope this helps you out, and anyone else looking for extra fingerprint methods
stoneRdev
commented
4 years ago Also, maybe consider #16 as a fix to this issue as well, by providing a way to diversify hashes with data provided from other middleware via the 'req' object
source144
commented
3 years ago I know this is pretty old, but I'm getting the same problem running tests on my app. It's been mostly reliable in the states, but I let two friends abroad (Israel) try something on the app and they consistently get a collision.
I'm not sure if I want to consider the IP as part of the hash since it could be spoofed/changed frequently. @yusukeshibata @stoneRdev
stoneRdev
commented
3 years ago thats interesting. is their any other data you can think of to include in the fingerprint? i have made implementations that use a client side fingerprint supplemented to the server fingerprint, and although intrusive, client side fingerprints can be pretty accurate Nov 3, 2020 3:59:00 PM Gonen Matias notifications@github.com:
I know this is pretty old, but I'm getting the same problem running tests on my app. It's been mostly reliable in the states, but I let two friends abroad (Israel) try something on the app and they consistently get a collision.
I'm not sure if I want to consider the IP as part of the hash since it could be spoofed/changed frequently. @yusukeshibata[https://github.com/yusukeshibata] @stoneRdev[https://github.com/stoneRdev]
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub[https://github.com/yusukeshibata/express-fingerprint/issues/9#issuecomment-721437118], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AD5RVQXNEMXJ566R4HCUQ5LSOCKMJANCNFSM4GFLEHRQ]. [https://github.com/notifications/beacon/AD5RVQVNJ67EXPXRZMWLRFTSOCKMJA5CNFSM4GFLEHR2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOFMAEDPQ.gif]
It's kinda weird that we noticed on our database that the fingerprint.hash is somewhat duplicate. We are using this plugin in our nodejs application and we are just getting the hash value and I don't know why there are duplicates in hash. We are not saving it somewhere else except on the db. Any ideas about it?