Skip to main content

Browser fingerprinting

Browser fingerprinting is a process by which an identifier is generated from information retrieved from the browser and device a user uses to access a site, that is unique to that device.

This prevents a malicious third party from being able to hijack your session during a man in the middle attack.

Configuration

The configuration of browser fingerprinting is within config/fingerprinting.xml.

The default configuration is shown below:

    <?xml version="1.0" encoding="utf-8" ?>
<system xmlns:config="http://www.jadu.co.uk/schema/config">
<filters config:type="array">
<!-- Empty key is GLOBAL settings. Items are checked IN ORDER. Item value is ENABLED metrics -->
<item key="10.0">HTTP_USER_AGENT,HTTP_ACCEPT_LANGUAGE</item>
<item key="">HTTP_USER_AGENT,HTTP_ACCEPT_LANGUAGE,HTTP_DNT,REMOTE_ADDR</item>
</filters>
</system>

Session interactions

The application generates a fingerprint when a page is accessed. It then compares this fingerprint with the fingerprint stored with the session. If the fingerprint has changed, the session is destroyed to prevent a third party gaining access to another user's details.