Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This is a feature request to support identification by device rather than just user agent in order to have greater confidence in individuality and distinction.
The JS library https://github.com/Valve/fingerprintjs2 looks promising.
It could work like so (assuming enabled and fingerprintjs2 lib is installed:
- On user login form submit
- fingerprintjs2 is invoked to get device fingerprint and stores in hidden form field
- Login History form alter reads submitted device fingerprint and uses instead of user agent
Other JS libs can be considered as well https://www.quora.com/Is-there-any-open-source-project-for-device-finger...
Comment | File | Size | Author |
---|---|---|---|
#13 | 2820919-lh-fingerprintjs2-13.patch | 99.43 KB | greggles |
| |||
#9 | 2820919-lh-fingerprintjs2-9.patch | 65.94 KB | greggles |
| |||
#5 | 2820919-lh-fingerprintjs2.patch | 65.4 KB | greggles |
| |||
#2 | 2820919-login-history-fingerprint-D7.patch | 3.15 KB | coltrane |
Comments
Comment #2
coltraneHere's a first pass patch that doesn't work yet but illustrates how I think it could
Comment #3
gregglesBen and I talked about this a bit and are thinking that it could make sense to make login_history a bit more extensible. Here's what I plan to work on.
Currently, login history records time, IP address, the nature of the login (one time or regular) and the full user agent. My interest in the module is that it helps both users and admins of a site determine if a login is legitimate. Additional code might send an email to a user if they log in from a new device or if a login happens 5 minutes after the last one but is from an IP address on the opposite side of the globe.
For those purposes it is useful to know if a browser user agent has changed, but it's also useful to know more generally chrome and not necessarily "Chrome/53.0.2785.143 Safari/537.36".
So...this module could:
I think it makes sense for fingerprintjs2 to be a submodule (e.g. login_history_fingerprintjs2).
Eh?
Comment #4
gregglesI was thinking more about the cookie that is sent to the client. The default hash from the module is just user agent and ip address, so any site visitor can calculate a value and send it. This defeats one of the use-cases of this feature (i.e. detection of a login from a device that doesn't belong to the user logging in).
So...the cookied needs to be authenticated with an HMAC. I also filed #2822732: Add a serial primary key, a hash of data as device_id to teh table, send hash as a coooookie to cover just the parts inside login_history.module for this.
Comment #5
gregglesThis patch is based on #2822732: Add a serial primary key, a hash of data as device_id to teh table, send hash as a coooookie and therefore will fail automated testing so I'm leaving as "needs work" but I basically consider this to be "needs review".
I felt like this should be a sub-module with its own schema, mostly because it records a lot more information about users.
Comment #6
gregglesI don't think browscap makes sense at this point, so removing it.
Comment #7
gregglesAnd this should now apply and pass tests.
Comment #9
gregglesThis is just some small cleanups.
* Capitalizing Login History.
* Adding $account param to the hook for consistency.
* Adding dependency to the info file.
Comment #10
coltraneWhy is the JS lib data stored? It's a lot of extraneous data without a necessary use case. Could it be optionally stored?
Comment #11
gregglesSure, I can see making it optional. It does seem useful to me to store it in general. I can see an upcoming feature to limit the amount of data that gets fingerprinted (e.g. the canvas item is pretty huge and I'm not sure if it's valuable as a distinguishing point or not).
Comment #12
rymcveighI agree with @greggles, it wouldn't hurt to offer the option to save the JS lib data but I think it would be useful to store it in general. Maybe we can store the data by default and offer the option to opt out of storing the data or limit the amount of data that is stored.
Also, should we minimize the JS and maybe create fingerprint2.min.js and lhfingerprintjs2.min.js files?
Comment #13
gregglesOK, recording the data is now optional and defaults to on.
And using the min js file from the upstream source.
Comment #15
gregglesOK, committed, so on to 8.x.
Comment #16
krem CreditAttribution: krem commentedI am trying to install this patch on drupal 8 using
"composer require drupal/login_history:1.x-dev" but I do not see fingerprint data in login history report.
Do I have to install the patch separately ? Thank you
Comment #17
gregglesFor Drupal 7 there is a sub-module that provides this feature since it is a bit different from the main module, so you do need to add it separately.
Comment #18
krem CreditAttribution: krem commentedThanks for the reply, I downloaded the D7 version and I get it now... will have to study how to adapt the sub module to drupal 8, hopefully it won't be too difficult.
Comment #19
DrupalDope CreditAttribution: DrupalDope commented@krem
hello, I would be interested to know where you got with this module?
Comment #20
Prashant.cDo you have any plans to port this to the latest version of the module?