One of the web's biggest hurdles is that HTTP is a stateless protocol - it has no memory. A common solution is a session id, the identifier portion given to the visitor known colloquially as a cookie. One drawback of this method is that it is an 'active' tracker: the server (website) originates the communication and the client (visitor) either accepts or declines. Many sites, especially in ecommerce, are functionally unusable if the cookie is refused.
So I thought I'd write about something a little different: visitor fingerprinting. Not biometric fingerprinting but device/browser fingerprinting. Why? Because it is an alternative or backup to cookies.
As with most things on the web, browser fingerprinting is not new and only those utilising the process know whether it is improved. Why? Because unlike cookies there is little or no (depending on methodology) recognised communication between the server and the browser.
There are two main classes of remote visitor device fingerprinting that can be utilised by a website:
* passive: observation and analysis of communication traffic with the browser/device.
* semi-passive: after the browser initiates communication the server then interacts.
The third class, active, requires that the server initiate the connection; most sites would rather opt for serve a cookie, as active fingerprinting can be identified and may contravene local regulation/law.
What data points can be used to differentiate devices?
Note: even the presence of 'scrubbers' are of value as an identifier.
---browser identification via web retrieval flow analysis
Note: flow analysis can identify browsers even when set to 'another' user agent.
---clock timing skew.
---browser plug-ins, versions, mime types.
---firewall, router identification and configuration.
and many more. To operate devices, be they hardware or software, need to communicate, to share specifications. Basic passive finger printing from several years ago could differentiate ~8-bytes (64 bits) of identifying data sufficient to uniquely identify over 80% of visitors.
Granted this is far short of what is functionally necessary for an ecommerce shopping cart. However, unsubstantiated reports suggest current passive, semi-passive combination methodologies are closer to 98%. Even if true and released publicly still short of cookie performance.
However, fingerprinting is totally invisible and long lived (short of significant upgrade or replacement. Note: 'significant' is a moving target as statistical analysis can increasingly look past device changes if IP remains static or vice versa). Certainly sufficiently robust for remarketing, definitely valuable for non-ecommerce sites, and a reasonably reliable failover/extension for ecommerce businesses.
So, when the cookie crumbles know that all is not lost in the fight to induce memory onto a stateless web.