Applet Fingerprinting

[Orangy Tang]

For Albion I wanted to make it as easy as possible for a player to save their progress, without requiring registration. The usual methods are:

1. Write to the local hard drive.
2. Use the persistence service (muffins).
3. Use the browser's cookies.

All of these have various downsides of some sort. For '1', you need to sign you applet, which prompts the usual scary security dialogs. For '2' this is only available for JNLP applets, which are less robust and less well supported, plus it doesn't work when you're running via your IDE. For '3' you have to deal with browser and javascript quirks and incompatibilities, and the user might have them switched off anyway.

So, inspired by panopticlick I decided to see if it was possible to generate a unique fingerprint for a system from within the applet sandbox. Here's my applet fingerprint:



And you can generate your own fingerprint here.

And heres my fingerprint:

1

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50t8BDM/LcEnACAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAIAAAABAAAAAsAAAAPAAAABAAAAAQAAAAIAAAAAAAAAAMAAAABAAAABwAAAAkAAAAeAAAAAwAAAAEAAAAHAAAAAAAAAAIAAAATAAAABQAAAAEAAAAEAAAAAgAAAAAAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAXdAAMZGV2aWNlMFdpZHRodAAEMTkyMHQAD3dpbi5tZW51LmhlaWdodHQAAjE5dAALZGV2aWNlQ291bnR0AAExdAANd2luLm1lbnUuZm9udHQAQGphdmEuYXd0LkZvbnRbZmFtaWx5PVNlZ29lIFVJLG5hbWU9U2Vnb2UgVUksc3R5bGU9cGxhaW4sc2l6ZT0xMl10AA9qYXZhLnZlbmRvci51cmx0ABRodHRwOi8vamF2YS5zdW4uY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAABNHQAFWF3dC53aGVlbE1vdXNlUHJlc2VudHQABHRydWV0AAtkZXZpY2UwTmFtZXQACVxEaXNwbGF5MHQADmRldmljZTBSZWZyZXNodAACNTl0AAdvcy5uYW1ldAAJV2luZG93cyA3dAANZGV2aWNlMEhlaWdodHQABDEyMDB0ABx3aW4uZnJhbWUuY2FwdGlvbkdyYWRpZW50c09ucQB+ABV0ABh3aW4ubWVudS5iYWNrZ3JvdW5kQ29sb3J0ACFqYXZhLmF3dC5Db2xvcltyPTI0MCxnPTI0MCxiPTI0MF10AApvcy52ZXJzaW9udAADNi4xdAAXd2luLnhwc3R5bGUudGhlbWVBY3RpdmVxAH4AFXQAFWF3dC5mb250LmRlc2t0b3BoaW50c3QAa3tUZXh0LXNwZWNpZmljIExDRCBjb250cmFzdCBrZXk9MTIwLCBUZXh0LXNwZWNpZmljIGFudGlhbGlhc2luZyBlbmFibGUga2V5PUxDRCBIUkdCIGFudGlhbGlhc2luZyB0ZXh0IG1vZGV9dAAHb3MuYXJjaHQAA3g4NnQAGGF3dC5maWxlLnNob3dIaWRkZW5GaWxlc3EAfgAVdAAMamF2YS52ZXJzaW9udAAIMS42LjBfMTh0ABZhd3QubXVsdGlDbGlja0ludGVydmFsdAADNTAwdAAbd2luLmRlc2t0b3AuYmFja2dyb3VuZENvbG9ydAAbamF2YS5hd3QuQ29sb3Jbcj0wLGc9MCxiPTBddAALamF2YS52ZW5kb3J0ABVTdW4gTWljcm9zeXN0ZW1zIEluYy50ABZhd3QuZmlsZS5zaG93QXR0cmliQ29sdAAFZmFsc2V4

At the moment, the fingerprint is broken down into different sections (as represented by the different colours, left to right):
 - Blue is windows settings (font size, colours, etc.)
 - Yellow are os properties (name, version, architecture)
 - Red is VM properties (vendor, version, url)
 - Cyan is display info (number of displays, resolution, etc.)
 - Light blue is awt info (desktop hints, click interval, etcl)
 - Green is a histogram of all the available font families on a system.

Most of these are stored as hashes, and mapping them onto actual heights for display is somewhat arbitrary but that's just for visualisation purposes.

I'm still not sure how unique these fingerprints are, so I'd like to get as many people as possible to visit the applet and share their fingerprint so I can tweak the algorithm. I expect fingerprints from similar spec machines to be similar (ie. two fingerprints from Win7 with JRE6 will look pretty close), but for Albion I'll be tying it with IP as well so the combination should work out to be unique. If anyone's got any ideas for additional (applet readable!) state then I'm open to suggestions.

I'll be posting the source too once I've gone over it and cleaned it up a bit.

[Eli Delventhal]

1

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50t8BDM/LcEnACAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAXAAAAHwAAAB8AAAAGAAAABQAAAAUAAAASAAAAGAAAAAQAAAABAAAACQAAAA8AAAAZAAAABAAAAAYAAAAOAAAAAAAAAAQAAAAVAAAACQAAAAAAAAABAAAABQAAAAAAAAAAAAAAAnNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAOdAAMZGV2aWNlMFdpZHRodAAEMTQ0MHQAC2RldmljZUNvdW50dAABMXQAD2phdmEudmVuZG9yLnVybHQAFWh0dHA6Ly93d3cuYXBwbGUuY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAABM3QAC2RldmljZTBOYW1ldAAJXERpc3BsYXkwdAAOZGV2aWNlMFJlZnJlc2h0AAEwdAAHb3MubmFtZXQACE1hYyBPUyBYdAANZGV2aWNlMEhlaWdodHQAAzkwMHQACm9zLnZlcnNpb250AAYxMC42LjN0ABVhd3QuZm9udC5kZXNrdG9waGludHN0AD17VGV4dC1zcGVjaWZpYyBhbnRpYWxpYXNpbmcgZW5hYmxlIGtleT1BbnRpYWxpYXNlZCB0ZXh0IG1vZGV9dAAHb3MuYXJjaHQABng4Nl82NHQADGphdmEudmVyc2lvbnQACDEuNi4wXzIwdAAWYXd0Lm11bHRpQ2xpY2tJbnRlcnZhbHQAAzUwMHQAC2phdmEudmVuZG9ydAAKQXBwbGUgSW5jLng=

How does this help with saving? Are you saving the fingerprint in a DB or something? I still don't get how that would really help.

[Orangy Tang]

Yeah, the fingerprint will be used as the key in the server database for the player's save info. This is usually how it's done with cookies (with only the id stored in the cookie) but here because the fingerprint is stable it doesn't need to be stored and can just be regenerated each run.

Games published by our own members! Check 'em out!

[irreversible_kev]

1

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50AAAAAAAAAAECAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAIAAAABAAAAAsAAAAPAAAABAAAAAQAAAAKAAAAAAAAAAMAAAABAAAABgAAAAgAAAAdAAAAAwAAAAEAAAAEAAAAAAAAAAIAAAASAAAABQAAAAEAAAAEAAAAAgAAAAAAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAXdAAMZGV2aWNlMFdpZHRodAAEMTY4MHQAD3dpbi5tZW51LmhlaWdodHQAAjE5dAALZGV2aWNlQ291bnR0AAExdAANd2luLm1lbnUuZm9udHQAQGphdmEuYXd0LkZvbnRbZmFtaWx5PVNlZ29lIFVJLG5hbWU9U2Vnb2UgVUksc3R5bGU9cGxhaW4sc2l6ZT0xMl10AA9qYXZhLnZlbmRvci51cmx0ABRodHRwOi8vamF2YS5zdW4uY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAACMTZ0ABVhd3Qud2hlZWxNb3VzZVByZXNlbnR0AAR0cnVldAALZGV2aWNlME5hbWV0AAlcRGlzcGxheTB0AA5kZXZpY2UwUmVmcmVzaHQAAjYwdAAHb3MubmFtZXQACVdpbmRvd3MgN3QADWRldmljZTBIZWlnaHR0AAQxMDUwdAAcd2luLmZyYW1lLmNhcHRpb25HcmFkaWVudHNPbnEAfgAVdAAYd2luLm1lbnUuYmFja2dyb3VuZENvbG9ydAAhamF2YS5hd3QuQ29sb3Jbcj0yNDAsZz0yNDAsYj0yNDBddAAKb3MudmVyc2lvbnQAAzYuMXQAF3dpbi54cHN0eWxlLnRoZW1lQWN0aXZlcQB+ABV0ABVhd3QuZm9udC5kZXNrdG9waGludHN0AGt7VGV4dC1zcGVjaWZpYyBMQ0QgY29udHJhc3Qga2V5PTEyMCwgVGV4dC1zcGVjaWZpYyBhbnRpYWxpYXNpbmcgZW5hYmxlIGtleT1MQ0QgSFJHQiBhbnRpYWxpYXNpbmcgdGV4dCBtb2RlfXQAB29zLmFyY2h0AAN4ODZ0ABhhd3QuZmlsZS5zaG93SGlkZGVuRmlsZXNxAH4AFXQADGphdmEudmVyc2lvbnQACDEuNi4wXzIwdAAWYXd0Lm11bHRpQ2xpY2tJbnRlcnZhbHQAAzUwMHQAG3dpbi5kZXNrdG9wLmJhY2tncm91bmRDb2xvcnQAG2phdmEuYXd0LkNvbG9yW3I9MCxnPTAsYj0wXXQAC2phdmEudmVuZG9ydAAVU3VuIE1pY3Jvc3lzdGVtcyBJbmMudAAWYXd0LmZpbGUuc2hvd0F0dHJpYkNvbHQABWZhbHNleA==

[jezek2]

While interesting idea and research of EFF, this will break very easily for your purposes. Also many users have dynamic IPs or are just connecting from different networks. The problem is that the original idea is about connecting the previous information based on probability, so it works only with masses with certain (big) error. This can't be used if you need to precisely identify someone's browser.

Just use cookies, with some detection and warning if they're disabled (or just specify you're using cookies for saving game). Most users have cookies enabled anyway, especially causal gamers. Also add ability to register account so users can play from different computer if they opt to.

[Eli Delventhal]

Yeah, the fingerprint will be used as the key in the server database for the player's save info. This is usually how it's done with cookies (with only the id stored in the cookie) but here because the fingerprint is stable it doesn't need to be stored and can just be regenerated each run.

Why can't a user just type in a login name if you've already got a DB? I guess it's nice to be automatic but it doesn't seem like you're gaining too much here.

[Jono]

1

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50AAAAAAAAAAECAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAPAAAABwAAAAQAAAAGAAAAAgAAAAMAAAAEAAAAAAAAAAEAAAAAAAAAFQAAADwAAAAKAAAABAAAAAEAAAADAAAAAAAAAAIAAAAIAAAABwAAABUAAAAEAAAABAAAAAAAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAASdAANZGV2aWNlMUhlaWdodHQAAzkwMHQADGRldmljZTBXaWR0aHQABDE5MjB0AAtkZXZpY2VDb3VudHQAATJ0AA9qYXZhLnZlbmRvci51cmx0ABRodHRwOi8vamF2YS5zdW4uY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAACMTZ0AAtkZXZpY2UwTmFtZXQABDowLjB0AA5kZXZpY2UwUmVmcmVzaHQAATB0AAdvcy5uYW1ldAAFTGludXh0AA5kZXZpY2UxUmVmcmVzaHQAATB0AA1kZXZpY2UwSGVpZ2h0dAAEMTA4MHQAC2RldmljZTFOYW1ldAAEOjAuMXQACm9zLnZlcnNpb250ABEyLjYuMzItMjItZ2VuZXJpY3QAFWF3dC5mb250LmRlc2t0b3BoaW50c3QAR3tUZXh0LXNwZWNpZmljIGFudGlhbGlhc2luZyBlbmFibGUga2V5PUxDRCBIUkdCIGFudGlhbGlhc2luZyB0ZXh0IG1vZGV9dAAMZGV2aWNlMVdpZHRodAAEMTQ0MHQAB29zLmFyY2h0AAVhbWQ2NHQADGphdmEudmVyc2lvbnQACDEuNi4wXzIwdAAWYXd0Lm11bHRpQ2xpY2tJbnRlcnZhbHQAAzIwMHQAC2phdmEudmVuZG9ydAAVU3VuIE1pY3Jvc3lzdGVtcyBJbmMueA==

So if a user plays on a different machine they'd have a different set of save info? What about if they just installed some new fonts?

[Orangy Tang]

While interesting idea and research of EFF, this will break very easily for your purposes.

Well that's what this thread is about - trying to gather data from people to see how unique (or not) these fingerprints are.

Just use cookies, with some detection and warning if they're disabled (or just specify you're using cookies for saving game). Most users have cookies enabled anyway, especially causal gamers. Also add ability to register account so users can play from different computer if they opt to.

Cookies require per-browser and per-os testing, which I just don't have the time and hardware to pull off.

Why can't a user just type in a login name if you've already got a DB? I guess it's nice to be automatic but it doesn't seem like you're gaining too much here.

Just typing a username is unreliable because there's lots of people who'll just type in their (common) first name so i'll get people playing with different user's data. Adding a username+password combo is reliable but from what I've personally seen a lot of players are instantly turned off and with close the game straight away. The idea is to use this to get people playing straight away, and provide an option for entering a username / password at any later point, but until they do the fingerprint + IP will have a reasonably good chance of restoring their game.

I suppose just asking for the user's name would also make the fingerprint matching better, but I'm not sure I want the extra step for the user.

So if a user plays on a different machine they'd have a different set of save info? What about if they just installed some new fonts?

Different machine == different save.
Minor system changes (installing / removing fonts, upgrading VM) should be ok, since I can directly compare the code points / minutia between fingerprints and get a difference value (eg. installing a new font would make the fingerprint differ by 1). Changes under a certain threshold will be considered to be the same system.


It seems like everyone's programmer OCD just has to come up with the convoluted edge cases where this will have issues. I'm already aware of them but frankly I don't think they matter for what I'm after here.

[mike_bike_kite]

I wanted to do the same thing with one of my games to store the user's high score and tried using the MAC address of the users computer - this worked fine on some machines but stopped the program from running at all on other computers (apple). In the end I game up:(

[CommanderKeith]

Pretty cool. Here's mine:

1

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50AAAAAAAAAAECAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAMAAAAFgAAABgAAAAJAAAACgAAAA4AAAARAAAABAAAAAUAAAADAAAABgAAAAwAAAAkAAAABQAAAAMAAAAMAAAAAAAAAAcAAAARAAAACQAAAAAAAAAFAAAABQAAAAAAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAXdAAMZGV2aWNlMFdpZHRodAAEMTQ0MHQAD3dpbi5tZW51LmhlaWdodHQAAjE5dAALZGV2aWNlQ291bnR0AAExdAANd2luLm1lbnUuZm9udHQAQGphdmEuYXd0LkZvbnRbZmFtaWx5PVNlZ29lIFVJLG5hbWU9U2Vnb2UgVUksc3R5bGU9cGxhaW4sc2l6ZT0xMl10AA9qYXZhLnZlbmRvci51cmx0ABRodHRwOi8vamF2YS5zdW4uY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAABM3QAFWF3dC53aGVlbE1vdXNlUHJlc2VudHQABHRydWV0AAtkZXZpY2UwTmFtZXQACVxEaXNwbGF5MHQADmRldmljZTBSZWZyZXNodAACNjB0AAdvcy5uYW1ldAANV2luZG93cyBWaXN0YXQADWRldmljZTBIZWlnaHR0AAM5MDB0ABx3aW4uZnJhbWUuY2FwdGlvbkdyYWRpZW50c09ucQB+ABV0ABh3aW4ubWVudS5iYWNrZ3JvdW5kQ29sb3J0ACFqYXZhLmF3dC5Db2xvcltyPTI0MCxnPTI0MCxiPTI0MF10AApvcy52ZXJzaW9udAADNi4wdAAXd2luLnhwc3R5bGUudGhlbWVBY3RpdmVxAH4AFXQAFWF3dC5mb250LmRlc2t0b3BoaW50c3QAa3tUZXh0LXNwZWNpZmljIGFudGlhbGlhc2luZyBlbmFibGUga2V5PUxDRCBIUkdCIGFudGlhbGlhc2luZyB0ZXh0IG1vZGUsIFRleHQtc3BlY2lmaWMgTENEIGNvbnRyYXN0IGtleT0xMjB9dAAHb3MuYXJjaHQAA3g4NnQAGGF3dC5maWxlLnNob3dIaWRkZW5GaWxlc3QABWZhbHNldAAMamF2YS52ZXJzaW9udAAIMS42LjBfMjB0ABZhd3QubXVsdGlDbGlja0ludGVydmFsdAADNDgwdAAbd2luLmRlc2t0b3AuYmFja2dyb3VuZENvbG9ydAAbamF2YS5hd3QuQ29sb3Jbcj0wLGc9MCxiPTBddAALamF2YS52ZW5kb3J0ABVTdW4gTWljcm9zeXN0ZW1zIEluYy50ABZhd3QuZmlsZS5zaG93QXR0cmliQ29scQB+ACl4

Games published by our own members! Check 'em out!

[CaptainJester]

Just ask for an email address.  Make the password optional.  Also only ask for it at the point they want to save.  If people get to that point then they have invested enough time that entering an email address will not be that much bother.  People only tend to be turned off by registration systems that take too much time.  ie arbitrary rules for password characters or short lengths for user names.

[SimonH]

1

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50AAAAAAAAAAECAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAADAAAAAwAAAAMAAAAEAAAAAAAAAAAAAAACAAAAAQAAAAEAAAAAAAAAAAAAAAQAAAAFAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAFAAAAAwAAAAAAAAACAAAABAAAAAEAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAWdAAMZGV2aWNlMFdpZHRodAAEMTAyNHQAD3dpbi5tZW51LmhlaWdodHQAAjE4dAALZGV2aWNlQ291bnR0AAExdAANd2luLm1lbnUuZm9udHQAPGphdmEuYXd0LkZvbnRbZmFtaWx5PVRhaG9tYSxuYW1lPVRhaG9tYSxzdHlsZT1wbGFpbixzaXplPTExXXQAD2phdmEudmVuZG9yLnVybHQAFGh0dHA6Ly9qYXZhLnN1bi5jb20vdAAUYXd0Lm1vdXNlLm51bUJ1dHRvbnN0AAEzdAAVYXd0LndoZWVsTW91c2VQcmVzZW50dAAEdHJ1ZXQAC2RldmljZTBOYW1ldAAJXERpc3BsYXkwdAAOZGV2aWNlMFJlZnJlc2h0AAI3NXQAB29zLm5hbWV0AAxXaW5kb3dzIDIwMDB0AA1kZXZpY2UwSGVpZ2h0dAADNzY4dAAcd2luLmZyYW1lLmNhcHRpb25HcmFkaWVudHNPbnEAfgAVdAAYd2luLm1lbnUuYmFja2dyb3VuZENvbG9ydAAhamF2YS5hd3QuQ29sb3Jbcj0yMTIsZz0yMDgsYj0yMDBddAAKb3MudmVyc2lvbnQAAzUuMHQAFWF3dC5mb250LmRlc2t0b3BoaW50c3QARntUZXh0LXNwZWNpZmljIGFudGlhbGlhc2luZyBlbmFibGUga2V5PURlZmF1bHQgYW50aWFsaWFzaW5nIHRleHQgbW9kZX10AAdvcy5hcmNodAADeDg2dAAYYXd0LmZpbGUuc2hvd0hpZGRlbkZpbGVzcQB+ABV0AAxqYXZhLnZlcnNpb250AAgxLjYuMF8xNnQAFmF3dC5tdWx0aUNsaWNrSW50ZXJ2YWx0AAM1MDB0ABt3aW4uZGVza3RvcC5iYWNrZ3JvdW5kQ29sb3J0ACBqYXZhLmF3dC5Db2xvcltyPTU4LGc9MTEwLGI9MTY1XXQAC2phdmEudmVuZG9ydAAVU3VuIE1pY3Jvc3lzdGVtcyBJbmMudAAWYXd0LmZpbGUuc2hvd0F0dHJpYkNvbHQABWZhbHNleA==

I like the idea, but I can't ever see it being reliable for the reasons given above. I don't think people mind registering if they think it's worth it. The funorb system of play unregistered but register to save games (& other benefits) is a good one.

[Orangy Tang]

Man, you guys need to actually watch users (proper users, not your tech-savy friends) and how they behave. And I do mean watch, not just sit over their shoulder giving them instructions at every step.

Ask for an email address before gameplay? -> Browser closed, user gone.
Ask for username and registration before gameplay? -> Browser closed, user gone.
Force use to manually save? -> user never saves.
Popup telling user 'game will not be saved until you enable cookies / javascript'? -> Popup ignored, user probably gone.

[Eli Delventhal]

If those are problems. why not have the player name their character/gun/ship/whatever some name that must be unique, but when they start give them a default (combination of 3 random words from a 1,000 item list or something)?

For example, if you have a spaceship game when the game starts up their ship could be named IllegalMonsterNail or something, and they have the option at any point to type in a different ship name (that must be unique to your DB). Use IllegalMonsterNail as the key for the DB and whenever they change the name use that instead.

I guess the main problem for you is asking the user for their ship's name, and/or stopping people from typing in OrangyTangsShip to access your account.

But still, it seems like if you make it seem like it's part of the game ("Jump into an existing ship!" "What's the ship's name?") rather than "Please log in" then most people won't even notice.

[Nate]

Popup telling user 'game will not be saved until you enable cookies / javascript'? -> Popup ignored, user probably gone.

I was with you up to the last point. I would just use cookies. If you are targeting normal users, normal users have cookies and javascript enabled.

[princec]

Aside: are local user prefs not allowed for sandboxed applets?

Cas

[kappa]

Aside: are local user prefs not allowed for sandboxed applets?

Cas

nope, the Preference API is not allowed from the sandbox.

If you launch your applets with a jnlp file (new stuff in plugin2) then you can use JWS muffins for local storage (you get 250kb). However using jnlp for applets isn't that nice. It would be nice if they allowed access to muffins using just the normal applet tag, maybe via parameter if not by default.

The javascript bridge is pretty good now for applets so cookies look like the easiest way to handle this problem (html5 web storage is looking pretty good too now and might be the way to go once it becomes a bit more widespread).

Another idea you might want to explore is Flash. It gives you 100kb of local storage and available almost everywhere, so you could use a hidden flash element and just pass the information via javascript to it and allow it to store it for you (yeh its a long shot, but hey it'll work ).

This finger printing looks like an interesting idea method but sounds like it might break easily if something on the system changes.

[zammbi]

JavaFX allows saving without a security popup I believe.

[Orangy Tang]

nope, the Preference API is not allowed from the sandbox.

It's even more annoying than that though - ServiceManager.getServiceNames() actually returns (amongst other things) 'PersistenceService', which implies it's actually available, but trying to actually lookup the service will fail. (As opposed to a regular client app, where the list of service names will be empty).

It really looks like it should be available to applets, but someone was sloppy and forgot to call an initialisation function somewhere.

[h3ckboy]

Im with demonpants. Just be like,  "what willy ou name your character?", and there you got a username.

[bobjob]

1

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50AAAAAAAAAAECAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAIAAAABAAAAAsAAAAPAAAABAAAAAQAAAAKAAAAAAAAAAMAAAABAAAABgAAAAgAAAAdAAAAAwAAAAEAAAAEAAAAAAAAAAIAAAASAAAABQAAAAEAAAAEAAAAAgAAAAAAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAXdAAMZGV2aWNlMFdpZHRodAAEMTkyMHQAD3dpbi5tZW51LmhlaWdodHQAAjE5dAALZGV2aWNlQ291bnR0AAExdAANd2luLm1lbnUuZm9udHQAQGphdmEuYXd0LkZvbnRbZmFtaWx5PVNlZ29lIFVJLG5hbWU9U2Vnb2UgVUksc3R5bGU9cGxhaW4sc2l6ZT0xMl10AA9qYXZhLnZlbmRvci51cmx0ABRodHRwOi8vamF2YS5zdW4uY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAABNXQAFWF3dC53aGVlbE1vdXNlUHJlc2VudHQABHRydWV0AAtkZXZpY2UwTmFtZXQACVxEaXNwbGF5MHQADmRldmljZTBSZWZyZXNodAACNTl0AAdvcy5uYW1ldAAJV2luZG93cyA3dAANZGV2aWNlMEhlaWdodHQABDEwODB0ABx3aW4uZnJhbWUuY2FwdGlvbkdyYWRpZW50c09ucQB+ABV0ABh3aW4ubWVudS5iYWNrZ3JvdW5kQ29sb3J0ACFqYXZhLmF3dC5Db2xvcltyPTI0MCxnPTI0MCxiPTI0MF10AApvcy52ZXJzaW9udAADNi4xdAAXd2luLnhwc3R5bGUudGhlbWVBY3RpdmVxAH4AFXQAFWF3dC5mb250LmRlc2t0b3BoaW50c3QAa3tUZXh0LXNwZWNpZmljIExDRCBjb250cmFzdCBrZXk9MTIwLCBUZXh0LXNwZWNpZmljIGFudGlhbGlhc2luZyBlbmFibGUga2V5PUxDRCBIUkdCIGFudGlhbGlhc2luZyB0ZXh0IG1vZGV9dAAHb3MuYXJjaHQAA3g4NnQAGGF3dC5maWxlLnNob3dIaWRkZW5GaWxlc3EAfgAVdAAMamF2YS52ZXJzaW9udAAIMS42LjBfMjB0ABZhd3QubXVsdGlDbGlja0ludGVydmFsdAADNTAwdAAbd2luLmRlc2t0b3AuYmFja2dyb3VuZENvbG9ydAAbamF2YS5hd3QuQ29sb3Jbcj0wLGc9MCxiPTBddAALamF2YS52ZW5kb3J0ABVTdW4gTWljcm9zeXN0ZW1zIEluYy50ABZhd3QuZmlsZS5zaG93QXR0cmliQ29sdAAFZmFsc2V4

very interesting idea. Ill be keen to see how effective this is at handling accounts.

[bobjob]

Im guessing it could only help to generate serverside info, such as source IP address.

does the fingerprint currently include local network address.
http://reglos.de/myaddress/MyAddress.html

[kappa]

correct me if i'm wrong but it seems that unsigned applets can get the MAC Address, isn't this enough to uniquely identify a computer?

http://techdetails.agwego.com/2008/02/11/37/

[princec]

Not on its own but combined with just 1 or 2 other bits of information it'd probably be perfectly adequate.

Cas

[Orangy Tang]

correct me if i'm wrong but it seems that unsigned applets can get the MAC Address, isn't this enough to uniquely identify a computer?

http://techdetails.agwego.com/2008/02/11/37/

I've looked into getting the mac before and IIRC the method mentioned there is massively unreliable (especially when you start talking about non-windows or non-java6 VMs). The only reliable way to get the mac address in java required signed code.

That said, it could be integrated into the fingerprinting to provide more accurate results on the platforms that do actually return something.

[bobjob]

I have been thinking about this idea a bit lately, I thought of another great instance for varation.

I know there are issues with cookies, but i think it would make sence to try at least implement it, so that it takes a random generated cookie into account for the fingerprint.
cant hurt can it?

[kappa]

another option that could be used http://developer.yahoo.com/yui/swfstore/ should be more reliable then cookies and work the same crossplatfrom/crossbrowsers.

[Swattkidd7]

Hmm, I think that if you have a main menu screen where they can enter a "Ships name" and then a "Ships password" with a little tip underneath it explaining what it is used for, then you should be fine because the only thing that turns off most people in "registering" is when it asks for your email and then you have to go verify etc etc. But if you can just type some stuff in and start, it should be fine.

[Riven]

Why not look at it from the other side?

What is registering and logging in:
1. Submitting a username/password
2. The server creates / looks up a database row for you
3. A cookie is sent back to the client, which the client uses every request to confirm it is logged in.

Why don't we do it a different way, as in the end, the only thing a client needs is a cookie. The username/password are only a way to deliver the right serial (cookie) to the right client. If the client knows the serial, it can ignore logging in. We can take it one step further: we don't even need a username/password, at all, ever.

Each new client gets a serial (cookie) from the server and that will be his sole identifier. The serial can be queried in the UI, and used to login into another browser, or another computer. It can even be sent to an emailaddress, if the user wishes to do so.

In conclusion: the first hit you make to a site *is* your registration process: the generated serial is stored in the database. It happens behind the scenes, the user doesn't know. The serial is the 'applet fingerprint'.


Regarding your current fingerprinting algorithm: it's flaky at best. I wouldn't want to trust any identification of any user on it. Random serial numbers are much more effective, and more importantly: you can use the same serial to login from different browsers or machines.