Is there any information that can be pulled from a mobile user agent that would uniquely identify the device?
If possible, I'm trying to create a page with PHP that would recognize it's me that's accessing it from my iPhone. Else statement to follow that wouldn't show anything at all.
You can use the next variable:
$_SERVER['HTTP_USER_AGENT']
which is:
This is a string denoting the user agent being which is accessing the page
You can use it like this:
if( strstr($_SERVER['HTTP_USER_AGENT'],'Android') ) //Android
{
}
elseif( strstr($_SERVER['HTTP_USER_AGENT'],'iPhone')) //iphone
{
}
else
{
}
I used this on a couple of projects. It might be too bloated for your needs, but you can exclude the browser detecting functions you don't need.
Besides detecting the browser, it also detects the version.
If you're using the "out of the box" browser that came with your phone then it is not possibly to uniquely identify your device based on the User-Agent string alone.
A User-Agent string only identifies the type, version, and details about the browser you're using. Since many thousands or millions of people may be using this exact same browser, it's not unique and therefore is a very poor choice for a security authorization token.
For example the user agent string for a Samsung Galaxy S3 is:
Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-I9300 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
This describes the browser's build information and compatibility, but is unique only to the build which is installed on several thousands or millions of devices.
Because there's nothing truly unique about the user-agent string, I'd recommend not using it to provide any level of security. At the very least I'd recommend implementing HTTP Basic Authentication. Be sure to enable SSL when using HTTP Basic Authentication, since your username and password are sent in the HTTP encoded but unencrypted and vulnerable to be intercepted.
If you're protecting a site which needs real security guarantees, I recommend that you not try to "roll your own" authentication scheme unless you're a security expert. I'd recommend using a security framework such as OWASP's ESAPI, or another well-tested framework. There are a long list of ways to get it wrong when building an authentication system, so it's best to use one which has been thoroughly tested before deploying it into a production environment.