Applet Fingerprinting

For Albion I wanted to make it as easy as possible for a player to save their progress, without requiring registration. The usual methods are:

1. Write to the local hard drive.
2. Use the persistence service (muffins).
3. Use the browser’s cookies.

All of these have various downsides of some sort. For ‘1’, you need to sign you applet, which prompts the usual scary security dialogs. For ‘2’ this is only available for JNLP applets, which are less robust and less well supported, plus it doesn’t work when you’re running via your IDE. For ‘3’ you have to deal with browser and javascript quirks and incompatibilities, and the user might have them switched off anyway.

So, inspired by panopticlick I decided to see if it was possible to generate a unique fingerprint for a system from within the applet sandbox. Here’s my applet fingerprint:

http://www.triangularpixels.com/Junk/Fingerprint.png

And you can generate your own fingerprint here.

And heres my fingerprint:

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50t8BDM/LcEnACAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAIAAAABAAAAAsAAAAPAAAABAAAAAQAAAAIAAAAAAAAAAMAAAABAAAABwAAAAkAAAAeAAAAAwAAAAEAAAAHAAAAAAAAAAIAAAATAAAABQAAAAEAAAAEAAAAAgAAAAAAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAXdAAMZGV2aWNlMFdpZHRodAAEMTkyMHQAD3dpbi5tZW51LmhlaWdodHQAAjE5dAALZGV2aWNlQ291bnR0AAExdAANd2luLm1lbnUuZm9udHQAQGphdmEuYXd0LkZvbnRbZmFtaWx5PVNlZ29lIFVJLG5hbWU9U2Vnb2UgVUksc3R5bGU9cGxhaW4sc2l6ZT0xMl10AA9qYXZhLnZlbmRvci51cmx0ABRodHRwOi8vamF2YS5zdW4uY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAABNHQAFWF3dC53aGVlbE1vdXNlUHJlc2VudHQABHRydWV0AAtkZXZpY2UwTmFtZXQACVxEaXNwbGF5MHQADmRldmljZTBSZWZyZXNodAACNTl0AAdvcy5uYW1ldAAJV2luZG93cyA3dAANZGV2aWNlMEhlaWdodHQABDEyMDB0ABx3aW4uZnJhbWUuY2FwdGlvbkdyYWRpZW50c09ucQB+ABV0ABh3aW4ubWVudS5iYWNrZ3JvdW5kQ29sb3J0ACFqYXZhLmF3dC5Db2xvcltyPTI0MCxnPTI0MCxiPTI0MF10AApvcy52ZXJzaW9udAADNi4xdAAXd2luLnhwc3R5bGUudGhlbWVBY3RpdmVxAH4AFXQAFWF3dC5mb250LmRlc2t0b3BoaW50c3QAa3tUZXh0LXNwZWNpZmljIExDRCBjb250cmFzdCBrZXk9MTIwLCBUZXh0LXNwZWNpZmljIGFudGlhbGlhc2luZyBlbmFibGUga2V5PUxDRCBIUkdCIGFudGlhbGlhc2luZyB0ZXh0IG1vZGV9dAAHb3MuYXJjaHQAA3g4NnQAGGF3dC5maWxlLnNob3dIaWRkZW5GaWxlc3EAfgAVdAAMamF2YS52ZXJzaW9udAAIMS42LjBfMTh0ABZhd3QubXVsdGlDbGlja0ludGVydmFsdAADNTAwdAAbd2luLmRlc2t0b3AuYmFja2dyb3VuZENvbG9ydAAbamF2YS5hd3QuQ29sb3Jbcj0wLGc9MCxiPTBddAALamF2YS52ZW5kb3J0ABVTdW4gTWljcm9zeXN0ZW1zIEluYy50ABZhd3QuZmlsZS5zaG93QXR0cmliQ29sdAAFZmFsc2V4

At the moment, the fingerprint is broken down into different sections (as represented by the different colours, left to right):

• Blue is windows settings (font size, colours, etc.)
• Yellow are os properties (name, version, architecture)
• Red is VM properties (vendor, version, url)
• Cyan is display info (number of displays, resolution, etc.)
• Light blue is awt info (desktop hints, click interval, etcl)
• Green is a histogram of all the available font families on a system.

Most of these are stored as hashes, and mapping them onto actual heights for display is somewhat arbitrary but that’s just for visualisation purposes.

I’m still not sure how unique these fingerprints are, so I’d like to get as many people as possible to visit the applet and share their fingerprint so I can tweak the algorithm. I expect fingerprints from similar spec machines to be similar (ie. two fingerprints from Win7 with JRE6 will look pretty close), but for Albion I’ll be tying it with IP as well so the combination should work out to be unique. If anyone’s got any ideas for additional (applet readable!) state then I’m open to suggestions.

I’ll be posting the source too once I’ve gone over it and cleaned it up a bit.

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50t8BDM/LcEnACAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAXAAAAHwAAAB8AAAAGAAAABQAAAAUAAAASAAAAGAAAAAQAAAABAAAACQAAAA8AAAAZAAAABAAAAAYAAAAOAAAAAAAAAAQAAAAVAAAACQAAAAAAAAABAAAABQAAAAAAAAAAAAAAAnNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAOdAAMZGV2aWNlMFdpZHRodAAEMTQ0MHQAC2RldmljZUNvdW50dAABMXQAD2phdmEudmVuZG9yLnVybHQAFWh0dHA6Ly93d3cuYXBwbGUuY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAABM3QAC2RldmljZTBOYW1ldAAJXERpc3BsYXkwdAAOZGV2aWNlMFJlZnJlc2h0AAEwdAAHb3MubmFtZXQACE1hYyBPUyBYdAANZGV2aWNlMEhlaWdodHQAAzkwMHQACm9zLnZlcnNpb250AAYxMC42LjN0ABVhd3QuZm9udC5kZXNrdG9waGludHN0AD17VGV4dC1zcGVjaWZpYyBhbnRpYWxpYXNpbmcgZW5hYmxlIGtleT1BbnRpYWxpYXNlZCB0ZXh0IG1vZGV9dAAHb3MuYXJjaHQABng4Nl82NHQADGphdmEudmVyc2lvbnQACDEuNi4wXzIwdAAWYXd0Lm11bHRpQ2xpY2tJbnRlcnZhbHQAAzUwMHQAC2phdmEudmVuZG9ydAAKQXBwbGUgSW5jLng=

How does this help with saving? Are you saving the fingerprint in a DB or something? I still don’t get how that would really help.

Yeah, the fingerprint will be used as the key in the server database for the player’s save info. This is usually how it’s done with cookies (with only the id stored in the cookie) but here because the fingerprint is stable it doesn’t need to be stored and can just be regenerated each run.

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50AAAAAAAAAAECAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAIAAAABAAAAAsAAAAPAAAABAAAAAQAAAAKAAAAAAAAAAMAAAABAAAABgAAAAgAAAAdAAAAAwAAAAEAAAAEAAAAAAAAAAIAAAASAAAABQAAAAEAAAAEAAAAAgAAAAAAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAXdAAMZGV2aWNlMFdpZHRodAAEMTY4MHQAD3dpbi5tZW51LmhlaWdodHQAAjE5dAALZGV2aWNlQ291bnR0AAExdAANd2luLm1lbnUuZm9udHQAQGphdmEuYXd0LkZvbnRbZmFtaWx5PVNlZ29lIFVJLG5hbWU9U2Vnb2UgVUksc3R5bGU9cGxhaW4sc2l6ZT0xMl10AA9qYXZhLnZlbmRvci51cmx0ABRodHRwOi8vamF2YS5zdW4uY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAACMTZ0ABVhd3Qud2hlZWxNb3VzZVByZXNlbnR0AAR0cnVldAALZGV2aWNlME5hbWV0AAlcRGlzcGxheTB0AA5kZXZpY2UwUmVmcmVzaHQAAjYwdAAHb3MubmFtZXQACVdpbmRvd3MgN3QADWRldmljZTBIZWlnaHR0AAQxMDUwdAAcd2luLmZyYW1lLmNhcHRpb25HcmFkaWVudHNPbnEAfgAVdAAYd2luLm1lbnUuYmFja2dyb3VuZENvbG9ydAAhamF2YS5hd3QuQ29sb3Jbcj0yNDAsZz0yNDAsYj0yNDBddAAKb3MudmVyc2lvbnQAAzYuMXQAF3dpbi54cHN0eWxlLnRoZW1lQWN0aXZlcQB+ABV0ABVhd3QuZm9udC5kZXNrdG9waGludHN0AGt7VGV4dC1zcGVjaWZpYyBMQ0QgY29udHJhc3Qga2V5PTEyMCwgVGV4dC1zcGVjaWZpYyBhbnRpYWxpYXNpbmcgZW5hYmxlIGtleT1MQ0QgSFJHQiBhbnRpYWxpYXNpbmcgdGV4dCBtb2RlfXQAB29zLmFyY2h0AAN4ODZ0ABhhd3QuZmlsZS5zaG93SGlkZGVuRmlsZXNxAH4AFXQADGphdmEudmVyc2lvbnQACDEuNi4wXzIwdAAWYXd0Lm11bHRpQ2xpY2tJbnRlcnZhbHQAAzUwMHQAG3dpbi5kZXNrdG9wLmJhY2tncm91bmRDb2xvcnQAG2phdmEuYXd0LkNvbG9yW3I9MCxnPTAsYj0wXXQAC2phdmEudmVuZG9ydAAVU3VuIE1pY3Jvc3lzdGVtcyBJbmMudAAWYXd0LmZpbGUuc2hvd0F0dHJpYkNvbHQABWZhbHNleA==

While interesting idea and research of EFF, this will break very easily for your purposes. Also many users have dynamic IPs or are just connecting from different networks. The problem is that the original idea is about connecting the previous information based on probability, so it works only with masses with certain (big) error. This can’t be used if you need to precisely identify someone’s browser.

Just use cookies, with some detection and warning if they’re disabled (or just specify you’re using cookies for saving game). Most users have cookies enabled anyway, especially causal gamers. Also add ability to register account so users can play from different computer if they opt to.

Why can’t a user just type in a login name if you’ve already got a DB? I guess it’s nice to be automatic but it doesn’t seem like you’re gaining too much here.

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50AAAAAAAAAAECAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAPAAAABwAAAAQAAAAGAAAAAgAAAAMAAAAEAAAAAAAAAAEAAAAAAAAAFQAAADwAAAAKAAAABAAAAAEAAAADAAAAAAAAAAIAAAAIAAAABwAAABUAAAAEAAAABAAAAAAAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAASdAANZGV2aWNlMUhlaWdodHQAAzkwMHQADGRldmljZTBXaWR0aHQABDE5MjB0AAtkZXZpY2VDb3VudHQAATJ0AA9qYXZhLnZlbmRvci51cmx0ABRodHRwOi8vamF2YS5zdW4uY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAACMTZ0AAtkZXZpY2UwTmFtZXQABDowLjB0AA5kZXZpY2UwUmVmcmVzaHQAATB0AAdvcy5uYW1ldAAFTGludXh0AA5kZXZpY2UxUmVmcmVzaHQAATB0AA1kZXZpY2UwSGVpZ2h0dAAEMTA4MHQAC2RldmljZTFOYW1ldAAEOjAuMXQACm9zLnZlcnNpb250ABEyLjYuMzItMjItZ2VuZXJpY3QAFWF3dC5mb250LmRlc2t0b3BoaW50c3QAR3tUZXh0LXNwZWNpZmljIGFudGlhbGlhc2luZyBlbmFibGUga2V5PUxDRCBIUkdCIGFudGlhbGlhc2luZyB0ZXh0IG1vZGV9dAAMZGV2aWNlMVdpZHRodAAEMTQ0MHQAB29zLmFyY2h0AAVhbWQ2NHQADGphdmEudmVyc2lvbnQACDEuNi4wXzIwdAAWYXd0Lm11bHRpQ2xpY2tJbnRlcnZhbHQAAzIwMHQAC2phdmEudmVuZG9ydAAVU3VuIE1pY3Jvc3lzdGVtcyBJbmMueA==

So if a user plays on a different machine they’d have a different set of save info? What about if they just installed some new fonts?

Well that’s what this thread is about - trying to gather data from people to see how unique (or not) these fingerprints are.

[quote]Just use cookies, with some detection and warning if they’re disabled (or just specify you’re using cookies for saving game). Most users have cookies enabled anyway, especially causal gamers. Also add ability to register account so users can play from different computer if they opt to.
[/quote]
Cookies require per-browser and per-os testing, which I just don’t have the time and hardware to pull off.

Just typing a username is unreliable because there’s lots of people who’ll just type in their (common) first name so i’ll get people playing with different user’s data. Adding a username+password combo is reliable but from what I’ve personally seen a lot of players are instantly turned off and with close the game straight away. The idea is to use this to get people playing straight away, and provide an option for entering a username / password at any later point, but until they do the fingerprint + IP will have a reasonably good chance of restoring their game.

I suppose just asking for the user’s name would also make the fingerprint matching better, but I’m not sure I want the extra step for the user.

Different machine == different save.
Minor system changes (installing / removing fonts, upgrading VM) should be ok, since I can directly compare the code points / minutia between fingerprints and get a difference value (eg. installing a new font would make the fingerprint differ by 1). Changes under a certain threshold will be considered to be the same system.

It seems like everyone’s programmer OCD just has to come up with the convoluted edge cases where this will have issues. I’m already aware of them but frankly I don’t think they matter for what I’m after here.

I wanted to do the same thing with one of my games to store the user’s high score and tried using the MAC address of the users computer - this worked fine on some machines but stopped the program from running at all on other computers (apple). In the end I game up:(

Pretty cool. Here’s mine:

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50AAAAAAAAAAECAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAAMAAAAFgAAABgAAAAJAAAACgAAAA4AAAARAAAABAAAAAUAAAADAAAABgAAAAwAAAAkAAAABQAAAAMAAAAMAAAAAAAAAAcAAAARAAAACQAAAAAAAAAFAAAABQAAAAAAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAXdAAMZGV2aWNlMFdpZHRodAAEMTQ0MHQAD3dpbi5tZW51LmhlaWdodHQAAjE5dAALZGV2aWNlQ291bnR0AAExdAANd2luLm1lbnUuZm9udHQAQGphdmEuYXd0LkZvbnRbZmFtaWx5PVNlZ29lIFVJLG5hbWU9U2Vnb2UgVUksc3R5bGU9cGxhaW4sc2l6ZT0xMl10AA9qYXZhLnZlbmRvci51cmx0ABRodHRwOi8vamF2YS5zdW4uY29tL3QAFGF3dC5tb3VzZS5udW1CdXR0b25zdAABM3QAFWF3dC53aGVlbE1vdXNlUHJlc2VudHQABHRydWV0AAtkZXZpY2UwTmFtZXQACVxEaXNwbGF5MHQADmRldmljZTBSZWZyZXNodAACNjB0AAdvcy5uYW1ldAANV2luZG93cyBWaXN0YXQADWRldmljZTBIZWlnaHR0AAM5MDB0ABx3aW4uZnJhbWUuY2FwdGlvbkdyYWRpZW50c09ucQB+ABV0ABh3aW4ubWVudS5iYWNrZ3JvdW5kQ29sb3J0ACFqYXZhLmF3dC5Db2xvcltyPTI0MCxnPTI0MCxiPTI0MF10AApvcy52ZXJzaW9udAADNi4wdAAXd2luLnhwc3R5bGUudGhlbWVBY3RpdmVxAH4AFXQAFWF3dC5mb250LmRlc2t0b3BoaW50c3QAa3tUZXh0LXNwZWNpZmljIGFudGlhbGlhc2luZyBlbmFibGUga2V5PUxDRCBIUkdCIGFudGlhbGlhc2luZyB0ZXh0IG1vZGUsIFRleHQtc3BlY2lmaWMgTENEIGNvbnRyYXN0IGtleT0xMjB9dAAHb3MuYXJjaHQAA3g4NnQAGGF3dC5maWxlLnNob3dIaWRkZW5GaWxlc3QABWZhbHNldAAMamF2YS52ZXJzaW9udAAIMS42LjBfMjB0ABZhd3QubXVsdGlDbGlja0ludGVydmFsdAADNDgwdAAbd2luLmRlc2t0b3AuYmFja2dyb3VuZENvbG9ydAAbamF2YS5hd3QuQ29sb3Jbcj0wLGc9MCxiPTBddAALamF2YS52ZW5kb3J0ABVTdW4gTWljcm9zeXN0ZW1zIEluYy50ABZhd3QuZmlsZS5zaG93QXR0cmliQ29scQB+ACl4

Just ask for an email address. Make the password optional. Also only ask for it at the point they want to save. If people get to that point then they have invested enough time that entering an email address will not be that much bother. People only tend to be turned off by registration systems that take too much time. ie arbitrary rules for password characters or short lengths for user names.

rO0ABXNyABlhbGJpb24uY29tbW9uLkZpbmdlcnByaW50AAAAAAAAAAECAAJbAA1mb250SGlzdG9ncmFtdAACW0lMAAdtaW51dGlhdAAPTGphdmEvdXRpbC9NYXA7eHB1cgACW0lNumAmduqypQIAAHhwAAAAGwAAAAAAAAADAAAAAwAAAAMAAAAEAAAAAAAAAAAAAAACAAAAAQAAAAEAAAAAAAAAAAAAAAQAAAAFAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAFAAAAAwAAAAAAAAACAAAABAAAAAEAAAAAAAAAAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAABh3CAAAACAAAAAWdAAMZGV2aWNlMFdpZHRodAAEMTAyNHQAD3dpbi5tZW51LmhlaWdodHQAAjE4dAALZGV2aWNlQ291bnR0AAExdAANd2luLm1lbnUuZm9udHQAPGphdmEuYXd0LkZvbnRbZmFtaWx5PVRhaG9tYSxuYW1lPVRhaG9tYSxzdHlsZT1wbGFpbixzaXplPTExXXQAD2phdmEudmVuZG9yLnVybHQAFGh0dHA6Ly9qYXZhLnN1bi5jb20vdAAUYXd0Lm1vdXNlLm51bUJ1dHRvbnN0AAEzdAAVYXd0LndoZWVsTW91c2VQcmVzZW50dAAEdHJ1ZXQAC2RldmljZTBOYW1ldAAJXERpc3BsYXkwdAAOZGV2aWNlMFJlZnJlc2h0AAI3NXQAB29zLm5hbWV0AAxXaW5kb3dzIDIwMDB0AA1kZXZpY2UwSGVpZ2h0dAADNzY4dAAcd2luLmZyYW1lLmNhcHRpb25HcmFkaWVudHNPbnEAfgAVdAAYd2luLm1lbnUuYmFja2dyb3VuZENvbG9ydAAhamF2YS5hd3QuQ29sb3Jbcj0yMTIsZz0yMDgsYj0yMDBddAAKb3MudmVyc2lvbnQAAzUuMHQAFWF3dC5mb250LmRlc2t0b3BoaW50c3QARntUZXh0LXNwZWNpZmljIGFudGlhbGlhc2luZyBlbmFibGUga2V5PURlZmF1bHQgYW50aWFsaWFzaW5nIHRleHQgbW9kZX10AAdvcy5hcmNodAADeDg2dAAYYXd0LmZpbGUuc2hvd0hpZGRlbkZpbGVzcQB+ABV0AAxqYXZhLnZlcnNpb250AAgxLjYuMF8xNnQAFmF3dC5tdWx0aUNsaWNrSW50ZXJ2YWx0AAM1MDB0ABt3aW4uZGVza3RvcC5iYWNrZ3JvdW5kQ29sb3J0ACBqYXZhLmF3dC5Db2xvcltyPTU4LGc9MTEwLGI9MTY1XXQAC2phdmEudmVuZG9ydAAVU3VuIE1pY3Jvc3lzdGVtcyBJbmMudAAWYXd0LmZpbGUuc2hvd0F0dHJpYkNvbHQABWZhbHNleA==

I like the idea, but I can’t ever see it being reliable for the reasons given above. I don’t think people mind registering if they think it’s worth it. The funorb system of play unregistered but register to save games (& other benefits) is a good one.

Man, you guys need to actually watch users (proper users, not your tech-savy friends) and how they behave. And I do mean watch, not just sit over their shoulder giving them instructions at every step.

Ask for an email address before gameplay? -> Browser closed, user gone.
Ask for username and registration before gameplay? -> Browser closed, user gone.
Force use to manually save? -> user never saves.
Popup telling user ‘game will not be saved until you enable cookies / javascript’? -> Popup ignored, user probably gone.

If those are problems. why not have the player name their character/gun/ship/whatever some name that must be unique, but when they start give them a default (combination of 3 random words from a 1,000 item list or something)?

For example, if you have a spaceship game when the game starts up their ship could be named IllegalMonsterNail or something, and they have the option at any point to type in a different ship name (that must be unique to your DB). Use IllegalMonsterNail as the key for the DB and whenever they change the name use that instead.

I guess the main problem for you is asking the user for their ship’s name, and/or stopping people from typing in OrangyTangsShip to access your account.

But still, it seems like if you make it seem like it’s part of the game (“Jump into an existing ship!” “What’s the ship’s name?”) rather than “Please log in” then most people won’t even notice.

I was with you up to the last point. I would just use cookies. If you are targeting normal users, normal users have cookies and javascript enabled.

Aside: are local user prefs not allowed for sandboxed applets?

Cas

nope, the Preference API is not allowed from the sandbox.

If you launch your applets with a jnlp file (new stuff in plugin2) then you can use JWS muffins for local storage (you get 250kb). However using jnlp for applets isn’t that nice. It would be nice if they allowed access to muffins using just the normal applet tag, maybe via parameter if not by default.

The javascript bridge is pretty good now for applets so cookies look like the easiest way to handle this problem (html5 web storage is looking pretty good too now and might be the way to go once it becomes a bit more widespread).

Another idea you might want to explore is Flash. It gives you 100kb of local storage and available almost everywhere, so you could use a hidden flash element and just pass the information via javascript to it and allow it to store it for you (yeh its a long shot, but hey it’ll work :)).

This finger printing looks like an interesting idea method but sounds like it might break easily if something on the system changes.

JavaFX allows saving without a security popup I believe.

It’s even more annoying than that though - ServiceManager.getServiceNames() actually returns (amongst other things) ‘PersistenceService’, which implies it’s actually available, but trying to actually lookup the service will fail. (As opposed to a regular client app, where the list of service names will be empty).

It really looks like it should be available to applets, but someone was sloppy and forgot to call an initialisation function somewhere. >:(

Im with demonpants. Just be like, “what willy ou name your character?”, and there you got a username.