I am working on adding a "remember my device" feature to a web application I maintain for a financial services company. All implementations of this feature that I've read about use persistent cookies, and my existing "remember me" feature uses persistent cookies.
In testing my current bank's (chase.com) implementation using Win7/IE11 I found I could not delete cookies and force my bank to forget my device. I tried a new machine with Win7/IE9 and proceeded to have the site remember the device. I then tried the following in any and all combinations:
- clear cookies and all browsing history elements (not preserving favorites)
- reset IE to default
- reset IE to default and clear personal data
I also uninstalled Flash, Java and .NET runtimes in the hopes that data was being stored in these plugin platforms. I did find some .js files that references Flash cookies so I thought without Flash the site would default back to normal cookies. I tested with IE since it does not have Flash built in like Chrome does.
I also logged off/on after each clear cache attempt to ensure IE processes were closed in between attempts. After all of this, my browser is still a remembered device.
My questions are:
Is there any other client-side technology that could be used to remember my device that I am not resetting/clearing?
Would enough details be able to be logged on the server to create a device fingerprint that is sufficiently accurate? I have never had my bank re-prompt me to remember my device after upgrading or installing plugins, etc. (Granted I normally use Chrome and am only using IE for this analysis)
Would a purely server-side approach be recommended, particularly for a financial institution like Chase? Are there any writeups or articles that address the pros/cons of such an approach? I'm imagining it to be less secure than the standard cookie approach.
Thank you all, my first question, apologies if my google-fu failed to turn up an obvious answer.
Aucun commentaire:
Enregistrer un commentaire