django-user-sessions icon indicating copy to clipboard operation
django-user-sessions copied to clipboard

Published 20 hours ago verified publisher icon jazzband

It's no longer possible to properly detect the platform version, so we shouldn't try to

Open mbeijen opened this issue 2 years ago • 3 comments

Since about a year, all major browsers no longer properly show the platform they're running on to combat fingerprinting and to improve privacy.

See https://developer.chrome.com/articles/user-agent-client-hints/ and https://www.chromium.org/updates/ua-reduction/

As a result, a Windows 11 device will always show up as Windows 10 according to the user agent parsing in this module (and a Windows 10 device will also show up as Windows 10) and Mac devices will show up as running on 'macOS Catalina' while they might be running Monterey or Ventura.

Expected Behavior

If you want to manage your sessions, it can be confusing or even alarming to show sessions from 'windows 10' while you know for sure you only have devices running Windows 11. I would expect to see proper identifyable information

Current Behavior

On the latest releases of macOS or Windows, django-user-sessions shows incorrect information For instance, on my recent Mac my user-agent is:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0

where sw_vers does not show 10.15 but rather 12.6 (Ventura)

% sw_vers
ProductName:	macOS
ProductVersion:	12.6.3
BuildVersion:	21G419

Possible Solution

We should limit the device information to show just 'macOS', or 'Windows', so there is no incorrect information displayed in the sessions overview

Steps to Reproduce (for bugs)

  1. Use a device on Windows 11 or macOS newer than Catalina
  2. Log in to a Django instance and navigate to /account/sessions or check the 'device' column in the sessions table
  3. Observe the incorrect information

mbeijen avatar Feb 27 '23 21:02 mbeijen

Sounds like excluding versions would be best here. Are other browsers following suit here? Or should be do this only for Chrome/Chromium?

WhyNotHugo avatar Oct 05 '23 14:10 WhyNotHugo

its still possible to detect the correct OS (depening on the clients browser), https://www.whatismybrowser.com/ will tell you that you are using windows 11.

they also write how it is detected (is called "client hints"). however i dont know how much coverage there is from browser developers.

Works with Chrome. (Does not work with Firefox).

i think the most consistent solution is to cut-off the version from the users display.

urzbs avatar Oct 16 '23 23:10 urzbs

Sounds like excluding versions would be best here. Are other browsers following suit here? Or should be do this only for Chrome/Chromium?

Yeah, indeed it would be best to exclude the version and just show "Windows" or "macOS" or "Linux" or... instead. All major browsers have implemented these anti-fingerprinting measures (Chrome, Firefox, Edge, Safari)

mbeijen avatar Oct 17 '23 06:10 mbeijen