You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Stephen Adkins <st...@officevision.com> on 2001/11/16 18:13:48 UTC
RE: Doing Authorization using mod_perl from a programmers
perspective
FYI.
This is true as a rule, that HTTP_USER_AGENT only identifies the
browser type, without a serial number.
Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC)
Mozilla/4.0 (compatible; MSIE 5.0; MSNIA; AOL 4.0; Windows 98; DigExt)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)
Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 5.0 [en]
However, I have seen in my web log the following user agents
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::00000510028001e002800140000000000506000800000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::00002110028001e0025c00ea000000000503002a00000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::00002110028001e0027a0129000000000505000b00000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::0000211003200258024b015f000000000505000b00000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::000041100320025800c001b2000000000505000b00000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::000041100320025800c001b6000000000505000b00000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::000041100320025801f3018f000000000505000b00000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::000041100320025802940113000000000502000800000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::000041100320025803170186000000000505000b00000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::0000411003200258031a018e000000000505000b00000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::0000411003200258031c019c000000000506000800000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::0000411003200258031e01aa000000000505000b00000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::0000411003200258032001b3000000000506000800000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::000041100400030003df0204000000000506000800000000
Mozilla/4.0 (compatible; MSIE 5.0; Windows
95)::ELNSB50::000081100320025802f90178000000000505000b00000000
This indicates to me that some vendors who distribute MSIE 5.0
on their PC's include some sort of ID in the HTTP_USER_AGENT
that the browser reports. (!?!) (privacy advocates beware!)
Stephen
At 10:46 AM 11/16/2001 -0600, Joe Breeden wrote:
>The HTTP_USER_AGENT doesn't identify unique users. It only identifies the
>browser type/version (assuming it hasn't been messed with).
>
>
>--Joe Breeden
>---------------------------------------
>If it compiles - Ship It!
>Aranea Texo
>
>> -----Original Message-----
>> From: Jon Robison [mailto:jon.robison@uniphied.com]
>> Sent: Friday, November 16, 2001 10:40 AM
>> To: fliptop@peacecomputers.com
>> Cc: Jonathan E. Paton; modperl@apache.org
>> Subject: Re: Doing Authorization using mod_perl from a programmers
>> perspective
>>
>>
>> fliptop wrote:
>> >
>> > Jon Robison wrote:
>> > >
>> > > The most relevant section for you is the Ticket system he
>> describes. (I
>> > > believe the section header says something about Cookies,
>> but you'll know
>> > > you have the right one when you see TicketAccess.pm,
>> TicketTools.pm, and
>> > > TicketMaster.pm. One nice addition is the ability to add
>> encryption to
>> > > the Ticket, and the fact that the author used an MD5 hash
>> (of an MD5
>> > > hash!) in the cookie, so verification of the authenticity
>> of the user is
>> > > pretty solid so long as you leave in things like ip
>> address, etc. which
>> > > he uses in the cookie by default. (Although AOL and some
>> proxy systems
>> > > might cause this to be trouble). AND, he also uses a
>> mysql db for the
>> >
>> > i have found that using the HTTP_USER_AGENT environment
>> variable instead
>> > of ip address solves the problem with proxy servers and the
>> md5 hash.
>> > anyone ever tried this as a simple workaround?
>>
>> I think one problem with that is that is fails to uniquely
>> identify the
>> person.
>>
>> Someone please tell me if I am wrong - does the USER_AGENT field get
>> some kind of special serial number from the browser, or is it just a
>> version identified?
>>
>> Best example - large company with 1000 PC's, all with same Netscape
>> installed. How then does the HTTP_USER_AGENT field deliniate between
>> PC's?
>>
>> --Jon
>>
>
>
Re: Doing Authorization using mod_perl from a programmers perspective
Posted by Edward <en...@fldna.net>.
See. http://slashdot.org/articles/01/03/20/1423223.shtml
On Fri, Nov 16, 2001 at 12:13:48PM -0500, Stephen Adkins wrote:
>
> FYI.
>
> This is true as a rule, that HTTP_USER_AGENT only identifies the
> browser type, without a serial number.
>
> Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC)
> Mozilla/4.0 (compatible; MSIE 5.0; MSNIA; AOL 4.0; Windows 98; DigExt)
> Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)
> Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)
> Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 5.0 [en]
>
> However, I have seen in my web log the following user agents
>
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::00000510028001e002800140000000000506000800000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::00002110028001e0025c00ea000000000503002a00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::00002110028001e0027a0129000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::0000211003200258024b015f000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100320025800c001b2000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100320025800c001b6000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100320025801f3018f000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100320025802940113000000000502000800000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100320025803170186000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::0000411003200258031a018e000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::0000411003200258031c019c000000000506000800000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::0000411003200258031e01aa000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::0000411003200258032001b3000000000506000800000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100400030003df0204000000000506000800000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000081100320025802f90178000000000505000b00000000
>
> This indicates to me that some vendors who distribute MSIE 5.0
> on their PC's include some sort of ID in the HTTP_USER_AGENT
> that the browser reports. (!?!) (privacy advocates beware!)
>
> Stephen
>
>
> At 10:46 AM 11/16/2001 -0600, Joe Breeden wrote:
> >The HTTP_USER_AGENT doesn't identify unique users. It only identifies the
> >browser type/version (assuming it hasn't been messed with).
> >
> >
> >--Joe Breeden
> >---------------------------------------
> >If it compiles - Ship It!
> >Aranea Texo
> >
> >> -----Original Message-----
> >> From: Jon Robison [mailto:jon.robison@uniphied.com]
> >> Sent: Friday, November 16, 2001 10:40 AM
> >> To: fliptop@peacecomputers.com
> >> Cc: Jonathan E. Paton; modperl@apache.org
> >> Subject: Re: Doing Authorization using mod_perl from a programmers
> >> perspective
> >>
> >>
> >> fliptop wrote:
> >> >
> >> > Jon Robison wrote:
> >> > >
> >> > > The most relevant section for you is the Ticket system he
> >> describes. (I
> >> > > believe the section header says something about Cookies,
> >> but you'll know
> >> > > you have the right one when you see TicketAccess.pm,
> >> TicketTools.pm, and
> >> > > TicketMaster.pm. One nice addition is the ability to add
> >> encryption to
> >> > > the Ticket, and the fact that the author used an MD5 hash
> >> (of an MD5
> >> > > hash!) in the cookie, so verification of the authenticity
> >> of the user is
> >> > > pretty solid so long as you leave in things like ip
> >> address, etc. which
> >> > > he uses in the cookie by default. (Although AOL and some
> >> proxy systems
> >> > > might cause this to be trouble). AND, he also uses a
> >> mysql db for the
> >> >
> >> > i have found that using the HTTP_USER_AGENT environment
> >> variable instead
> >> > of ip address solves the problem with proxy servers and the
> >> md5 hash.
> >> > anyone ever tried this as a simple workaround?
> >>
> >> I think one problem with that is that is fails to uniquely
> >> identify the
> >> person.
> >>
> >> Someone please tell me if I am wrong - does the USER_AGENT field get
> >> some kind of special serial number from the browser, or is it just a
> >> version identified?
> >>
> >> Best example - large company with 1000 PC's, all with same Netscape
> >> installed. How then does the HTTP_USER_AGENT field deliniate between
> >> PC's?
> >>
> >> --Jon
> >>
> >
> >
>
Re: Doing Authorization using mod_perl from a programmers perspective
Posted by Edward <en...@fldna.net>.
See. http://slashdot.org/articles/01/03/20/1423223.shtml
On Fri, Nov 16, 2001 at 12:13:48PM -0500, Stephen Adkins wrote:
>
> FYI.
>
> This is true as a rule, that HTTP_USER_AGENT only identifies the
> browser type, without a serial number.
>
> Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC)
> Mozilla/4.0 (compatible; MSIE 5.0; MSNIA; AOL 4.0; Windows 98; DigExt)
> Mozilla/4.0 (compatible; MSIE 5.0; Windows 3.1)
> Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)
> Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 5.0 [en]
>
> However, I have seen in my web log the following user agents
>
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::00000510028001e002800140000000000506000800000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::00002110028001e0025c00ea000000000503002a00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::00002110028001e0027a0129000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::0000211003200258024b015f000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100320025800c001b2000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100320025800c001b6000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100320025801f3018f000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100320025802940113000000000502000800000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100320025803170186000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::0000411003200258031a018e000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::0000411003200258031c019c000000000506000800000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::0000411003200258031e01aa000000000505000b00000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::0000411003200258032001b3000000000506000800000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000041100400030003df0204000000000506000800000000
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000081100320025802f90178000000000505000b00000000
>
> This indicates to me that some vendors who distribute MSIE 5.0
> on their PC's include some sort of ID in the HTTP_USER_AGENT
> that the browser reports. (!?!) (privacy advocates beware!)
>
> Stephen
>
>
> At 10:46 AM 11/16/2001 -0600, Joe Breeden wrote:
> >The HTTP_USER_AGENT doesn't identify unique users. It only identifies the
> >browser type/version (assuming it hasn't been messed with).
> >
> >
> >--Joe Breeden
> >---------------------------------------
> >If it compiles - Ship It!
> >Aranea Texo
> >
> >> -----Original Message-----
> >> From: Jon Robison [mailto:jon.robison@uniphied.com]
> >> Sent: Friday, November 16, 2001 10:40 AM
> >> To: fliptop@peacecomputers.com
> >> Cc: Jonathan E. Paton; modperl@apache.org
> >> Subject: Re: Doing Authorization using mod_perl from a programmers
> >> perspective
> >>
> >>
> >> fliptop wrote:
> >> >
> >> > Jon Robison wrote:
> >> > >
> >> > > The most relevant section for you is the Ticket system he
> >> describes. (I
> >> > > believe the section header says something about Cookies,
> >> but you'll know
> >> > > you have the right one when you see TicketAccess.pm,
> >> TicketTools.pm, and
> >> > > TicketMaster.pm. One nice addition is the ability to add
> >> encryption to
> >> > > the Ticket, and the fact that the author used an MD5 hash
> >> (of an MD5
> >> > > hash!) in the cookie, so verification of the authenticity
> >> of the user is
> >> > > pretty solid so long as you leave in things like ip
> >> address, etc. which
> >> > > he uses in the cookie by default. (Although AOL and some
> >> proxy systems
> >> > > might cause this to be trouble). AND, he also uses a
> >> mysql db for the
> >> >
> >> > i have found that using the HTTP_USER_AGENT environment
> >> variable instead
> >> > of ip address solves the problem with proxy servers and the
> >> md5 hash.
> >> > anyone ever tried this as a simple workaround?
> >>
> >> I think one problem with that is that is fails to uniquely
> >> identify the
> >> person.
> >>
> >> Someone please tell me if I am wrong - does the USER_AGENT field get
> >> some kind of special serial number from the browser, or is it just a
> >> version identified?
> >>
> >> Best example - large company with 1000 PC's, all with same Netscape
> >> installed. How then does the HTTP_USER_AGENT field deliniate between
> >> PC's?
> >>
> >> --Jon
> >>
> >
> >
>
Re: Doing Authorization using mod_perl from a programmers
perspective
Posted by David Young <dy...@nettonettech.com>.
Yes I remember reading about this some time ago. Of course I am short on
specifics, but IIRC those were some sort of signature put in by ISPs who
were bundling IE, and the id transmitted only configuration info but not
specific user details.
> From: Stephen Adkins <st...@officevision.com>
> Date: Fri, 16 Nov 2001 12:13:48 -0500
> To: Joe Breeden <jb...@ena.com>,modperl@apache.org
> Subject: RE: Doing Authorization using mod_perl from a programmers perspective
>
> Mozilla/4.0 (compatible; MSIE 5.0; Windows
> 95)::ELNSB50::000081100320025802f90178000000000505000b00000000
>
> This indicates to me that some vendors who distribute MSIE 5.0
> on their PC's include some sort of ID in the HTTP_USER_AGENT
> that the browser reports. (!?!) (privacy advocates beware!)