3

Imagine a website that uses google gears as a storage mechanism for various application level data. This data is intermittently replicated with a server using Asynchronous webservice calls while the application is active.

The problem lies in the subscription monitoring mechanism. Imagine a subscription system to this service based on unique PC’s. How does a webservice uniquely identify a PC (or more specifically a webbrowser) that is synchronising data with it?

My natural first idea was storing a GUID in the local database per machine and sending it off with the request but if one looks at the google gears storage documentation you discover that the database is unencrypted and can easily be tampered with (attaching to the sqllite file is all that is required and can be accomplished using various tools).

What I’ve been thinking recently is surely there is someway to calculate a signature that is repeatable per machine yet unique using only javascript? So far an implementation of this has eluded me (if only navigator.userAgent.uniqueID existed – although wouldn’t do much for privacy).

Last thought is obviously to write a ActiveX control and firefox plugin to provide this functionality but this would be a huge pain in the ass...

Any insights would be appreciated.

4

1 回答 1

1

您在本地数据库中使用 GUID 的想法不是一个坏主意。您可以通过允许服务器在连接时为本地数据库发出 GUID 来进一步扩展。然后在服务器上保存用于复制的有效 GUID。如果该机器使用与服务器上的有效 GUID 匹配的 GUID 开始复制过程,则它们将被授权发送其数据。最重要的是,您可以不时使用本地数据库过期和重新发布 GUID。最后,我还应该明智地管理发布给单个用户的 GUID 数量。如果用户使用用户名 jdoe 进行身份验证,则唯一允许使用颁发给 jdoe 的 GUID 的人是 jdoe。(也许用户名不是最好的辅助标识符,但使用类似这样的东西可以帮助您防止虚假数据被引入系统)

于 2010-11-20T02:54:51.577 回答